AWS GuardDuty Member Account Manipulation

Detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts. Adversaries may attempt to disassociate member accounts, delete member relationships, stop monitoring members, or delete pending invitations to break this centralized visibility. These actions can be precursors to or alternatives for deleting GuardDuty detectors entirely, allowing attackers to operate undetected in member accounts while the administrator account loses visibility. This rule identifies successful API calls that manipulate GuardDuty member relationships, which are rare in normal operations and warrant immediate investigation.

Rule type: query
Rule indices:

• filebeat-*
• logs-aws.cloudtrail-*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

• https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateFromAdministratorAccount.html
• https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html
• https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html
• https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html
• https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud

Tags:

• Domain: Cloud
• Data Source: AWS
• Data Source: Amazon Web Services
• Data Source: AWS GuardDuty
• Tactic: Defense Evasion
• Resources: Investigation Guide

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

In AWS Organizations with GuardDuty enabled, a delegated administrator account receives and aggregates security findings from all member accounts. This centralized visibility is critical for detecting threats across the organization. Adversaries who compromise a member account may attempt to break this relationship to operate without triggering alerts visible to the security team.

This rule detects several API actions that manipulate GuardDuty member relationships:

• DisassociateFromMasterAccount / DisassociateFromAdministratorAccount: Member account breaks its connection to the administrator
• DeleteMembers: Administrator removes member accounts from GuardDuty
• StopMonitoringMembers: Administrator stops monitoring specific member accounts without fully removing them
• DeleteInvitations: Member account deletes pending invitations, preventing association

These actions are extremely rare in normal operations and can indicate either a compromised account or an attacker preparing to disable GuardDuty entirely.

• Identify the actor

  • Review aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.type to determine who performed the action.
  • Determine whether the action originated from a member account (disassociation) or the administrator account (deletion/stop monitoring).

• Review request context

  • Check aws.cloudtrail.request_parameters to identify which member accounts were affected.
  • Determine the scope: single account or multiple accounts targeted.

• Analyze source and access patterns

  • Review source.ip and user_agent.original for anomalous access patterns.
  • Check if the action occurred outside normal business hours or maintenance windows.

• Correlate with related activity

  • Search for subsequent DeleteDetector API calls in the affected member accounts.
  • Look for other defense evasion indicators: CloudTrail modifications, Config rule deletions, Security Hub changes.
  • Check for privilege escalation or credential access events preceding this action.

• Verify business justification

  • Confirm with the identified user or team whether there was a legitimate organizational change.
  • Check for related change tickets or migration documentation.

• Organizational restructuring

  • Member relationships may change during account migrations or delegated administrator transitions.
  • Validate against documented organizational changes.

• Account decommissioning

  • Accounts being retired may be removed from GuardDuty before closure.
  • Confirm this aligns with account lifecycle management processes.

• Immediate containment

  • If unauthorized, immediately re-associate the affected member accounts with the administrator.
  • For StopMonitoringMembers, use StartMonitoringMembers to restore visibility.

• Investigation

  • Audit the affected member accounts for suspicious activity during the visibility gap.
  • Review CloudTrail for any actions taken while GuardDuty monitoring was disrupted.

• Hardening

  • Restrict guardduty:DisassociateFromAdministratorAccount, guardduty:DeleteMembers, and related permissions.
  • Use SCPs to prevent member accounts from disassociating from GuardDuty administrators.
  • Implement Security Hub controls to detect changes to GuardDuty organization configuration.

• AWS GuardDuty Multi-Account Documentation
• AWS IR Playbooks
• AWS Customer Playbook Framework

event.dataset: "aws.cloudtrail"
    and event.provider: "guardduty.amazonaws.com"
    and event.action: (
        "DisassociateFromMasterAccount" or
        "DisassociateFromAdministratorAccount" or
        "DeleteMembers" or
        "StopMonitoringMembers" or
        "DeleteInvitations"
    )
    and event.outcome: "success"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Defense Evasion
  • Id: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/

• Technique:

  • Name: Impair Defenses
  • Id: T1562
  • Reference URL: https://attack.mitre.org/techniques/T1562/

• Sub Technique:

  • Name: Disable or Modify Tools
  • Id: T1562.001
  • Reference URL: https://attack.mitre.org/techniques/T1562/001/