AWS GuardDuty Member Account Manipulation

[metadata]
creation_date = "2026/02/05"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In
multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts.
Adversaries may attempt to disassociate member accounts, delete member relationships, stop monitoring members, or delete
pending invitations to break this centralized visibility. These actions can be precursors to or alternatives for
deleting GuardDuty detectors entirely, allowing attackers to operate undetected in member accounts while the
administrator account loses visibility. This rule identifies successful API calls that manipulate GuardDuty member
relationships, which are rare in normal operations and warrant immediate investigation.
"""
false_positives = [
    """
    GuardDuty member relationships may be modified during legitimate organizational changes such as account migrations,
    security architecture restructuring, or delegated administrator transitions. Verify whether the user identity and
    timing align with approved change management processes. If this is expected administrative activity, it can be
    exempted from the rule.
    """,
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS GuardDuty Member Account Manipulation"
note = """## Triage and analysis

### Investigating AWS GuardDuty Member Account Manipulation

In AWS Organizations with GuardDuty enabled, a delegated administrator account receives and aggregates security findings from all member accounts. This centralized visibility is critical for detecting threats across the organization. Adversaries who compromise a member account may attempt to break this relationship to operate without triggering alerts visible to the security team.

This rule detects several API actions that manipulate GuardDuty member relationships:
- `DisassociateFromMasterAccount` / `DisassociateFromAdministratorAccount`: Member account breaks its connection to the administrator
- `DeleteMembers`: Administrator removes member accounts from GuardDuty
- `StopMonitoringMembers`: Administrator stops monitoring specific member accounts without fully removing them
- `DeleteInvitations`: Member account deletes pending invitations, preventing association

These actions are extremely rare in normal operations and can indicate either a compromised account or an attacker preparing to disable GuardDuty entirely.

### Possible investigation steps

- **Identify the actor**
  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` to determine who performed the action.
  - Determine whether the action originated from a member account (disassociation) or the administrator account (deletion/stop monitoring).

- **Review request context**
  - Check `aws.cloudtrail.request_parameters` to identify which member accounts were affected.
  - Determine the scope: single account or multiple accounts targeted.

- **Analyze source and access patterns**
  - Review `source.ip` and `user_agent.original` for anomalous access patterns.
  - Check if the action occurred outside normal business hours or maintenance windows.

- **Correlate with related activity**
  - Search for subsequent `DeleteDetector` API calls in the affected member accounts.
  - Look for other defense evasion indicators: CloudTrail modifications, Config rule deletions, Security Hub changes.
  - Check for privilege escalation or credential access events preceding this action.

- **Verify business justification**
  - Confirm with the identified user or team whether there was a legitimate organizational change.
  - Check for related change tickets or migration documentation.

### False positive analysis

- **Organizational restructuring**
  - Member relationships may change during account migrations or delegated administrator transitions.
  - Validate against documented organizational changes.

- **Account decommissioning**
  - Accounts being retired may be removed from GuardDuty before closure.
  - Confirm this aligns with account lifecycle management processes.

### Response and remediation

- **Immediate containment**
  - If unauthorized, immediately re-associate the affected member accounts with the administrator.
  - For `StopMonitoringMembers`, use `StartMonitoringMembers` to restore visibility.

- **Investigation**
  - Audit the affected member accounts for suspicious activity during the visibility gap.
  - Review CloudTrail for any actions taken while GuardDuty monitoring was disrupted.

- **Hardening**
  - Restrict `guardduty:DisassociateFromAdministratorAccount`, `guardduty:DeleteMembers`, and related permissions.
  - Use SCPs to prevent member accounts from disassociating from GuardDuty administrators.
  - Implement Security Hub controls to detect changes to GuardDuty organization configuration.

### Additional information
- **[AWS GuardDuty Multi-Account Documentation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html)**
- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
"""
references = [
    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateFromAdministratorAccount.html",
    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html",
    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html",
    "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html",
    "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud",
]
risk_score = 47
rule_id = "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS GuardDuty",
    "Tactic: Defense Evasion",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "guardduty.amazonaws.com"
    and event.action: (
        "DisassociateFromAdministratorAccount" or
        "DeleteMembers" or
        "StopMonitoringMembers" or
        "DeleteInvitations" or
        "DisassociateMembers"
    )
    and event.outcome: "success"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
    "aws.cloudtrail.request_parameters",
    "aws.cloudtrail.response_elements",
]