|aws||Mehmet Mert Surmeli||2023-07-01|
An adversary may attempt to disable GuardDuty to avoid detection. This is achived by deleting the GuardDuty Detectors.
|detectorid||str||ID of the GuardDuty detector to be disabled.||12345|
aws guardduty delete-detector --detector-id 12345
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DeleteDetector AND eventSource:*.guardduty.amazonaws.com
--- title: Disable GuardDuty id: 9ca58c16-3ae1-44a4-981b-0e8bcd9e913b status: experimental author: Mehmet Mert Surmeli date: 2023-07-01 description: An adversary may attempt to disable GuardDuty to avoid detection. This is achived by deleting the GuardDuty Detectors. logsource: service: cloudtrail detection: selection_source: - eventSource: "*.guardduty.amazonaws.com" events: - eventName: "DeleteDetector" condition: selection_source AND events level: low tags: - attack.T1562