# GuardDuty Tampering ## Overview AWS GuardDuty is a **regional** threat detection service able to detect potentially malicious activity like connections from [Tor nodes, anomalous behavior, recon, privilege escalation, and more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html). Therefore, if detection can be disabled or otherwise compromised, an attacker can better stay hidden. {% hint style="warning" %} Tampering may be detected in CloudTrail logs if enabled. {% endhint %} {% hint style="info" %} For defenders, review the actions below and restrict them e.g., via a Service Control Policy (SCP). {% endhint %} *** ## Tampering ### Service | Action | Description | | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | `guardduty:CreateDetector` | GuardDuty should be centrally managed and configured; do not allow unauthorized creation of detectors. | | `guardduty:DeleteDetector` | Deletes the GuardDuty detector entirely, disabling all detections and visibility. | | `guardduty:UpdateDetector` | Modifies detector configuration, potentially weakening or disabling detection capabilities. | | `guardduty:CreateFilter` | Creates suppression rules that can hide or auto-archive findings, reducing visibility into malicious activity. | | `guardduty:DeleteFilter` | Removes suppression rules, potentially increasing noise and allowing attackers to blend in. | | `guardduty:UpdateFilter` | Alters suppression rules to selectively hide or manipulate visibility of findings. | | `guardduty:ArchiveFindings` | Archives findings, allowing malicious activity to be hidden from active investigation. | | `guardduty:CreateSampleFindings` | Generates sample findings, increasing noise and potentially masking real threats. | | `guardduty:UnarchiveFindings` | Restores archived findings, potentially creating confusion or alert fatigue. | | `guardduty:UpdateFindingsFeedback` | Changes findings feedback (e.g., marking as false positive), reducing trust and suppressing escalation. | | `guardduty:CreateIPSet` | Creates IP sets that influence detection logic; could be used to whitelist malicious IPs. | | `guardduty:DeleteIPSet` | Removes IP sets, weakening detection coverage and reducing visibility. | | `guardduty:UpdateIPSet` | Modifies IP sets, potentially allowing attackers to evade detection. | | `guardduty:AcceptInvitation` | Accepts an invitation to join another GuardDuty account, potentially enabling unauthorized control. | | `guardduty:DeclineInvitations` | Declines invitations, preventing centralized monitoring and reducing visibility. | | `guardduty:DeleteInvitations` | Deletes invitations, disrupting onboarding into centralized GuardDuty management. | | `guardduty:CreateMembers` | Adds member accounts, potentially introducing unauthorized or rogue accounts. | | `guardduty:DeleteMembers` | Removes member accounts, creating monitoring gaps and blind spots. | | `guardduty:DisassociateMembers` | Disassociates member accounts, reducing centralized visibility and control. | | `guardduty:InviteMembers` | Sends invitations to accounts, potentially onboarding unauthorized entities. | | `guardduty:StartMonitoringMembers` | Enables monitoring for members, which could be selectively manipulated. | | `guardduty:StopMonitoringMembers` | Disables monitoring for members, creating visibility gaps and blind spots. | | `guardduty:DisassociateFromMasterAccount` | Breaks association with the administrator account, removing centralized security oversight. | | `guardduty:CreatePublishingDestination` | Creates a destination for findings export, potentially enabling data exfiltration or redirection. | | `guardduty:DeletePublishingDestination` | Deletes export destinations, disrupting downstream monitoring and integrations. | | `guardduty:UpdatePublishingDestination` | Modifies export destinations, potentially redirecting or suppressing findings. | | `guardduty:TagResource` | Adds or modifies tags, potentially impacting automation or access control decisions. | | `guardduty:UntagResource` | Removes tags, potentially bypassing tag-based controls or automation. | | `guardduty:CreateThreatIntelSet` | Creates threat intelligence sets, which could be manipulated to allow malicious indicators. | | `guardduty:DeleteThreatIntelSet` | Deletes threat intelligence sets, reducing detection effectiveness. | | `guardduty:UpdateThreatIntelSet` | Modifies threat intelligence sets, potentially poisoning or weakening detections. | ### Related Resources #### S3 Bucket Since GuardDuty logs can be stored in an S3 bucket, we need to also protect the bucket from being modified / deleted. | Action | Description | | --------------------------------- | ------------------------------------------------------------------------------------------ | | `s3api:DeleteObject` | Deletes objects in the bucket where logs are stored, effectively removing historical logs. | | `s3api:DeleteBucket` | Deletes the bucket containing logs, preventing storage of future logs. | | `s3api:PutBucketPolicy` | Updates the bucket policy to block the service from writing logs. | | `s3api:PutLifecycleConfiguration` | Changes the bucket lifecycle to automatically delete logs, reducing historical visibility. | #### IAM Role GuardDuty relies on a service-linked IAM Role, `AWSServiceRoleForAmazonGuardDuty` * The role is only assumable by the GuardDuty service and you [cannot modify the trust policy of a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html) | Action | Description | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `iam:DeleteRole` | Deleting the role would cause loss of logging. \*\* This cannot be deleted unless [all related GuardDuty resources are also deleted first](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html). | #### SNS Topic GuardDuty can have an SNS topic for message delivery, an attacker can delete or modify the topic. | Action | Description | | ----------------- | ------------------------------------------------- | | `sns:DeleteTopic` | Deleting the SNS topic may disrupt detections. | | `sns:Unsubscribe` | Unsubscribing from alerts may disrupt detections. |