Merge PR #5536 from @suKTech24 - Add AWS GuardDuty Detector Deleted Or Updated
Goodlog Tests / check-baseline-win7 (push) Has been cancelled
Goodlog Tests / check-baseline-win10 (push) Has been cancelled
Goodlog Tests / check-baseline-win11 (push) Has been cancelled
Goodlog Tests / check-baseline-win11-2023 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-domain-controller (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Has been cancelled
Regression Tests / true-positive-tests (push) Has been cancelled
Create Release / Create Release (push) Has been cancelled
Sigma Rule Tests / yamllint (push) Has been cancelled
Validate Sigma rules / sigma-rules-validator (push) Has been cancelled
Sigma Rule Tests / test-sigma-logsource (push) Has been cancelled
Sigma Rule Tests / test-sigma-legacy (push) Has been cancelled
Sigma Rule Tests / sigma-check (push) Has been cancelled
Sigma Rule Tests / duplicate-id-check (push) Has been cancelled
Goodlog Tests / check-baseline-win7 (push) Has been cancelled
Goodlog Tests / check-baseline-win10 (push) Has been cancelled
Goodlog Tests / check-baseline-win11 (push) Has been cancelled
Goodlog Tests / check-baseline-win11-2023 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-domain-controller (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Has been cancelled
Regression Tests / true-positive-tests (push) Has been cancelled
Create Release / Create Release (push) Has been cancelled
Sigma Rule Tests / yamllint (push) Has been cancelled
Validate Sigma rules / sigma-rules-validator (push) Has been cancelled
Sigma Rule Tests / test-sigma-logsource (push) Has been cancelled
Sigma Rule Tests / test-sigma-legacy (push) Has been cancelled
Sigma Rule Tests / sigma-check (push) Has been cancelled
Sigma Rule Tests / duplicate-id-check (push) Has been cancelled
new: AWS GuardDuty Detector Deleted Or Updated --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
suKTech24
@@ -0,0 +1,47 @@
|
||||
title: AWS GuardDuty Detector Deleted Or Updated
|
||||
id: d2656e78-c069-4571-8220-9e0ab5913f19
|
||||
status: experimental
|
||||
description: |
|
||||
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
|
||||
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
|
||||
Verify with the user identity that this activity is legitimate.
|
||||
references:
|
||||
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
|
||||
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
|
||||
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
|
||||
- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
|
||||
- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
|
||||
- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
|
||||
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
|
||||
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
|
||||
- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
|
||||
- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
|
||||
- https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
|
||||
author: suktech24
|
||||
date: 2025-11-27
|
||||
tags:
|
||||
- attack.defense-evasion
|
||||
- attack.t1562.001
|
||||
- attack.t1562.008
|
||||
logsource:
|
||||
product: aws
|
||||
service: cloudtrail
|
||||
detection:
|
||||
selection_event_source:
|
||||
eventSource: 'guardduty.amazonaws.com'
|
||||
selection_action_delete:
|
||||
eventName: 'DeleteDetector'
|
||||
selection_action_update:
|
||||
eventName: 'UpdateDetector'
|
||||
requestParameters.enable: 'false'
|
||||
selection_status_success:
|
||||
errorCode: 'Success'
|
||||
selection_status_null:
|
||||
errorCode: null
|
||||
condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
|
||||
falsepositives:
|
||||
- Legitimate detector deletion by an admin (e.g., during account decommissioning).
|
||||
- Temporary disablement for troubleshooting (verify via change management tickets).
|
||||
- Automated deployment tools (e.g. Terraform) managing GuardDuty state.
|
||||
level: high
|
||||
Reference in New Issue
Block a user