title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: test
description: Detects AWS Config Service disabling
references:
    - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'config.amazonaws.com'
        eventName:
            - 'DeleteDeliveryChannel'
            - 'StopConfigurationRecorder'
    condition: selection
falsepositives:
    - Valid change in AWS Config Service
level: high

title: AWS GuardDuty Detector Deleted Or Updated
id: d2656e78-c069-4571-8220-9e0ab5913f19
status: experimental
description: |
    Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
    Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
    Verify with the user identity that this activity is legitimate.
references:
    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
    - https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
    - https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
    - https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
    - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
    - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
    - https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
    - https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
    - https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
    - https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
author: suktech24
date: 2025-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
    - attack.t1685.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_event_source:
        eventSource: 'guardduty.amazonaws.com'
    selection_action_delete:
        eventName: 'DeleteDetector'
    selection_action_update:
        eventName: 'UpdateDetector'
        requestParameters.enable: 'false'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
falsepositives:
    - Legitimate detector deletion by an admin (e.g., during account decommissioning).
    - Temporary disablement for troubleshooting (verify via change management tickets).
    - Automated deployment tools (e.g. Terraform) managing GuardDuty state.
level: high

title: AWS CloudTrail Important Change
id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
status: test
description: Detects disabling, deleting and updating of a Trail
references:
    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: cloudtrail.amazonaws.com
        eventName:
            - StopLogging
            - UpdateTrail
            - DeleteTrail
    condition: selection_source
falsepositives:
    - Valid change in a Trail
level: medium