diff --git a/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml b/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml new file mode 100644 index 000000000..fcabf82f4 --- /dev/null +++ b/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml @@ -0,0 +1,167 @@ +[metadata] +creation_date = "2026/02/05" +integration = ["aws"] +maturity = "production" +updated_date = "2026/02/05" + +[rule] +author = ["Elastic"] +description = """ +Detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In +multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts. +Adversaries may attempt to disassociate member accounts, delete member relationships, stop monitoring members, or delete +pending invitations to break this centralized visibility. These actions can be precursors to or alternatives for +deleting GuardDuty detectors entirely, allowing attackers to operate undetected in member accounts while the +administrator account loses visibility. This rule identifies successful API calls that manipulate GuardDuty member +relationships, which are rare in normal operations and warrant immediate investigation. +""" +false_positives = [ + """ + GuardDuty member relationships may be modified during legitimate organizational changes such as account migrations, + security architecture restructuring, or delegated administrator transitions. Verify whether the user identity and + timing align with approved change management processes. If this is expected administrative activity, it can be + exempted from the rule. + """, +] +from = "now-6m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS GuardDuty Member Account Manipulation" +note = """## Triage and analysis + +### Investigating AWS GuardDuty Member Account Manipulation + +In AWS Organizations with GuardDuty enabled, a delegated administrator account receives and aggregates security findings from all member accounts. This centralized visibility is critical for detecting threats across the organization. Adversaries who compromise a member account may attempt to break this relationship to operate without triggering alerts visible to the security team. + +This rule detects several API actions that manipulate GuardDuty member relationships: +- `DisassociateFromMasterAccount` / `DisassociateFromAdministratorAccount`: Member account breaks its connection to the administrator +- `DeleteMembers`: Administrator removes member accounts from GuardDuty +- `StopMonitoringMembers`: Administrator stops monitoring specific member accounts without fully removing them +- `DeleteInvitations`: Member account deletes pending invitations, preventing association + +These actions are extremely rare in normal operations and can indicate either a compromised account or an attacker preparing to disable GuardDuty entirely. + +### Possible investigation steps + +- **Identify the actor** + - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` to determine who performed the action. + - Determine whether the action originated from a member account (disassociation) or the administrator account (deletion/stop monitoring). + +- **Review request context** + - Check `aws.cloudtrail.request_parameters` to identify which member accounts were affected. + - Determine the scope: single account or multiple accounts targeted. + +- **Analyze source and access patterns** + - Review `source.ip` and `user_agent.original` for anomalous access patterns. + - Check if the action occurred outside normal business hours or maintenance windows. + +- **Correlate with related activity** + - Search for subsequent `DeleteDetector` API calls in the affected member accounts. + - Look for other defense evasion indicators: CloudTrail modifications, Config rule deletions, Security Hub changes. + - Check for privilege escalation or credential access events preceding this action. + +- **Verify business justification** + - Confirm with the identified user or team whether there was a legitimate organizational change. + - Check for related change tickets or migration documentation. + +### False positive analysis + +- **Organizational restructuring** + - Member relationships may change during account migrations or delegated administrator transitions. + - Validate against documented organizational changes. + +- **Account decommissioning** + - Accounts being retired may be removed from GuardDuty before closure. + - Confirm this aligns with account lifecycle management processes. + +### Response and remediation + +- **Immediate containment** + - If unauthorized, immediately re-associate the affected member accounts with the administrator. + - For `StopMonitoringMembers`, use `StartMonitoringMembers` to restore visibility. + +- **Investigation** + - Audit the affected member accounts for suspicious activity during the visibility gap. + - Review CloudTrail for any actions taken while GuardDuty monitoring was disrupted. + +- **Hardening** + - Restrict `guardduty:DisassociateFromAdministratorAccount`, `guardduty:DeleteMembers`, and related permissions. + - Use SCPs to prevent member accounts from disassociating from GuardDuty administrators. + - Implement Security Hub controls to detect changes to GuardDuty organization configuration. + +### Additional information +- **[AWS GuardDuty Multi-Account Documentation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html)** +- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** +- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** +""" +references = [ + "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateFromAdministratorAccount.html", + "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html", + "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", +] +risk_score = 47 +rule_id = "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS GuardDuty", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: "aws.cloudtrail" + and event.provider: "guardduty.amazonaws.com" + and event.action: ( + "DisassociateFromAdministratorAccount" or + "DeleteMembers" or + "StopMonitoringMembers" or + "DeleteInvitations" or + "DisassociateMembers" + ) + and event.outcome: "success" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] +