Skip to content

Hide Navigation Hide TOC

AWS GuardDuty Detector Deleted Or Updated (d2656e78-c069-4571-8220-9e0ab5913f19)

Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern AWS GuardDuty Detector Deleted Or Updated (d2656e78-c069-4571-8220-9e0ab5913f19) Sigma-Rules 1
AWS GuardDuty Detector Deleted Or Updated (d2656e78-c069-4571-8220-9e0ab5913f19) Sigma-Rules Disable or Modify Cloud Log - T1685.002 (34ff60a3-a3f8-42e4-bed0-af9a2cb563d7) Attack Pattern 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Cloud Log - T1685.002 (34ff60a3-a3f8-42e4-bed0-af9a2cb563d7) Attack Pattern 2