From 386c8f7e7a4d6cb145ebb7534c61406a1e1c8aae Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Tue, 17 Feb 2026 16:32:20 -0500
Subject: [PATCH] [New Rule] AWS GuardDuty Member Account Manipulation (#5688)

* [New Rule] AWS GuardDuty Member Account Manipulation

Detects attempts to manipulate GuardDuty member account relationships within AWS Organizations. This includes actions like `DisassociateFromAdministratorAccount`, `DeleteMembers`, `StopMonitoringMembers`, and `DeleteInvitations` that break centralized security visibility. These actions are often precursors to or alternatives for fully deleting GuardDuty detectors, allowing adversaries to operate undetected in member accounts. The idea for this rule was inspired by defense evasion techniques highlighted in Permiso's research on Scattered Spider, and expanded to include other relevant API calls that could be abused for the same purpose.

Existing Related Coverage: We already detect `DeleteDetector` via defense_evasion_guardduty_detector_deletion.toml. This new rule complements that coverage by catching the manipulation of GuardDuty member relationships, actions that break org-level visibility without requiring full detector deletion.

* toml file name change

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---
 ...evasion_guardduty_member_manipulation.toml | 167 ++++++++++++++++++
 1 file changed, 167 insertions(+)
 create mode 100644 rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml

diff --git a/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml b/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml
new file mode 100644
index 000000000..fcabf82f4
--- /dev/null
+++ b/rules/integrations/aws/defense_evasion_guardduty_member_manipulation.toml
@@ -0,0 +1,167 @@
+[metadata]
+creation_date = "2026/02/05"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2026/02/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In
+multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts.
+Adversaries may attempt to disassociate member accounts, delete member relationships, stop monitoring members, or delete
+pending invitations to break this centralized visibility. These actions can be precursors to or alternatives for
+deleting GuardDuty detectors entirely, allowing attackers to operate undetected in member accounts while the
+administrator account loses visibility. This rule identifies successful API calls that manipulate GuardDuty member
+relationships, which are rare in normal operations and warrant immediate investigation.
+"""
+false_positives = [
+    """
+    GuardDuty member relationships may be modified during legitimate organizational changes such as account migrations,
+    security architecture restructuring, or delegated administrator transitions. Verify whether the user identity and
+    timing align with approved change management processes. If this is expected administrative activity, it can be
+    exempted from the rule.
+    """,
+]
+from = "now-6m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS GuardDuty Member Account Manipulation"
+note = """## Triage and analysis
+
+### Investigating AWS GuardDuty Member Account Manipulation
+
+In AWS Organizations with GuardDuty enabled, a delegated administrator account receives and aggregates security findings from all member accounts. This centralized visibility is critical for detecting threats across the organization. Adversaries who compromise a member account may attempt to break this relationship to operate without triggering alerts visible to the security team.
+
+This rule detects several API actions that manipulate GuardDuty member relationships:
+- `DisassociateFromMasterAccount` / `DisassociateFromAdministratorAccount`: Member account breaks its connection to the administrator
+- `DeleteMembers`: Administrator removes member accounts from GuardDuty
+- `StopMonitoringMembers`: Administrator stops monitoring specific member accounts without fully removing them
+- `DeleteInvitations`: Member account deletes pending invitations, preventing association
+
+These actions are extremely rare in normal operations and can indicate either a compromised account or an attacker preparing to disable GuardDuty entirely.
+
+### Possible investigation steps
+
+- **Identify the actor**
+  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` to determine who performed the action.
+  - Determine whether the action originated from a member account (disassociation) or the administrator account (deletion/stop monitoring).
+
+- **Review request context**
+  - Check `aws.cloudtrail.request_parameters` to identify which member accounts were affected.
+  - Determine the scope: single account or multiple accounts targeted.
+
+- **Analyze source and access patterns**
+  - Review `source.ip` and `user_agent.original` for anomalous access patterns.
+  - Check if the action occurred outside normal business hours or maintenance windows.
+
+- **Correlate with related activity**
+  - Search for subsequent `DeleteDetector` API calls in the affected member accounts.
+  - Look for other defense evasion indicators: CloudTrail modifications, Config rule deletions, Security Hub changes.
+  - Check for privilege escalation or credential access events preceding this action.
+
+- **Verify business justification**
+  - Confirm with the identified user or team whether there was a legitimate organizational change.
+  - Check for related change tickets or migration documentation.
+
+### False positive analysis
+
+- **Organizational restructuring**
+  - Member relationships may change during account migrations or delegated administrator transitions.
+  - Validate against documented organizational changes.
+
+- **Account decommissioning**
+  - Accounts being retired may be removed from GuardDuty before closure.
+  - Confirm this aligns with account lifecycle management processes.
+
+### Response and remediation
+
+- **Immediate containment**
+  - If unauthorized, immediately re-associate the affected member accounts with the administrator.
+  - For `StopMonitoringMembers`, use `StartMonitoringMembers` to restore visibility.
+
+- **Investigation**
+  - Audit the affected member accounts for suspicious activity during the visibility gap.
+  - Review CloudTrail for any actions taken while GuardDuty monitoring was disrupted.
+
+- **Hardening**
+  - Restrict `guardduty:DisassociateFromAdministratorAccount`, `guardduty:DeleteMembers`, and related permissions.
+  - Use SCPs to prevent member accounts from disassociating from GuardDuty administrators.
+  - Implement Security Hub controls to detect changes to GuardDuty organization configuration.
+
+### Additional information
+- **[AWS GuardDuty Multi-Account Documentation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html)**
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
+"""
+references = [
+    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateFromAdministratorAccount.html",
+    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html",
+    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html",
+    "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html",
+    "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud",
+]
+risk_score = 47
+rule_id = "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS GuardDuty",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "guardduty.amazonaws.com"
+    and event.action: (
+        "DisassociateFromAdministratorAccount" or
+        "DeleteMembers" or
+        "StopMonitoringMembers" or
+        "DeleteInvitations" or
+        "DisassociateMembers"
+    )
+    and event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+]
+