Data Source: AWS GuardDuty

AWS GuardDuty Member Account Manipulation

Feb 17, 2026 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS GuardDuty Tactic: Defense Evasion Resources: Investigation Guide ·
Share on:

Detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts. Adversaries may attempt to disassociate member accounts, delete member relationships, stop monitoring members, or delete pending invitations to break this centralized visibility. These actions can be precursors to or alternatives for deleting GuardDuty detectors entirely, allowing attackers to operate undetected in member accounts while the administrator account loses visibility. This rule identifies successful API calls that manipulate GuardDuty member relationships, which are rare in normal operations and warrant immediate investigation.

Read More
AWS GuardDuty Detector Deletion

Jan 22, 2026 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS GuardDuty Tactic: Defense Evasion Resources: Investigation Guide ·
Share on:

Detects the deletion of an Amazon GuardDuty detector. GuardDuty provides continuous monitoring for malicious or unauthorized activity across AWS accounts. Deleting the detector disables this visibility, stopping all threat detection and removing existing findings. Adversaries may delete GuardDuty detectors to impair security monitoring and evade detection during or after an intrusion. This rule identifies successful "DeleteDetector" API calls and can indicate a deliberate defense evasion attempt.

Read More

AWS GuardDuty Member Account Manipulation

AWS GuardDuty Detector Deletion