# GuardDuty Tampering ## Overview AWS GuardDuty is a **regional** threat detection service able to detect potentially malicious activity like connections from [Tor nodes, anomalous behavior, recon, privilege escalation, and more](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html). Therefore, if detection can be disabled or otherwise compromised, an attacker can better stay hidden. {% hint style="warning" %} Tampering may be detected in CloudTrail logs if enabled. {% endhint %} {% hint style="info" %} For defenders, review the actions below and restrict them e.g., via a Service Control Policy (SCP). {% endhint %} *** ## Tampering ### Service | Action | Description | | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | `guardduty:CreateDetector` | GuardDuty should be centrally managed and configured; do not allow unauthorized creation of detectors. | | `guardduty:DeleteDetector` | Deletes the GuardDuty detector entirely, disabling all detections and visibility. | | `guardduty:UpdateDetector` | Modifies detector configuration, potentially weakening or disabling detection capabilities. | | `guardduty:CreateFilter` | Creates suppression rules that can hide or auto-archive findings, reducing visibility into malicious activity. | | `guardduty:DeleteFilter` | Removes suppression rules, potentially increasing noise and allowing attackers to blend in. | | `guardduty:UpdateFilter` | Alters suppression rules to selectively hide or manipulate visibility of findings. | | `guardduty:ArchiveFindings` | Archives findings, allowing malicious activity to be hidden from active investigation. | | `guardduty:CreateSampleFindings` | Generates sample findings, increasing noise and potentially masking real threats. | | `guardduty:UnarchiveFindings` | Restores archived findings, potentially creating confusion or alert fatigue. | | `guardduty:UpdateFindingsFeedback` | Changes findings feedback (e.g., marking as false positive), reducing trust and suppressing escalation. | | `guardduty:CreateIPSet` | Creates IP sets that influence detection logic; could be used to whitelist malicious IPs. | | `guardduty:DeleteIPSet` | Removes IP sets, weakening detection coverage and reducing visibility. | | `guardduty:UpdateIPSet` | Modifies IP sets, potentially allowing attackers to evade detection. | | `guardduty:AcceptInvitation` | Accepts an invitation to join another GuardDuty account, potentially enabling unauthorized control. | | `guardduty:DeclineInvitations` | Declines invitations, preventing centralized monitoring and reducing visibility. | | `guardduty:DeleteInvitations` | Deletes invitations, disrupting onboarding into centralized GuardDuty management. | | `guardduty:CreateMembers` | Adds member accounts, potentially introducing unauthorized or rogue accounts. | | `guardduty:DeleteMembers` | Removes member accounts, creating monitoring gaps and blind spots. | | `guardduty:DisassociateMembers` | Disassociates member accounts, reducing centralized visibility and control. | | `guardduty:InviteMembers` | Sends invitations to accounts, potentially onboarding unauthorized entities. | | `guardduty:StartMonitoringMembers` | Enables monitoring for members, which could be selectively manipulated. | | `guardduty:StopMonitoringMembers` | Disables monitoring for members, creating visibility gaps and blind spots. | | `guardduty:DisassociateFromMasterAccount` | Breaks association with the administrator account, removing centralized security oversight. | | `guardduty:CreatePublishingDestination` | Creates a destination for findings export, potentially enabling data exfiltration or redirection. | | `guardduty:DeletePublishingDestination` | Deletes export destinations, disrupting downstream monitoring and integrations. | | `guardduty:UpdatePublishingDestination` | Modifies export destinations, potentially redirecting or suppressing findings. | | `guardduty:TagResource` | Adds or modifies tags, potentially impacting automation or access control decisions. | | `guardduty:UntagResource` | Removes tags, potentially bypassing tag-based controls or automation. | | `guardduty:CreateThreatIntelSet` | Creates threat intelligence sets, which could be manipulated to allow malicious indicators. | | `guardduty:DeleteThreatIntelSet` | Deletes threat intelligence sets, reducing detection effectiveness. | | `guardduty:UpdateThreatIntelSet` | Modifies threat intelligence sets, potentially poisoning or weakening detections. | ### Related Resources #### S3 Bucket Since GuardDuty logs can be stored in an S3 bucket, we need to also protect the bucket from being modified / deleted. | Action | Description | | --------------------------------- | ------------------------------------------------------------------------------------------ | | `s3api:DeleteObject` | Deletes objects in the bucket where logs are stored, effectively removing historical logs. | | `s3api:DeleteBucket` | Deletes the bucket containing logs, preventing storage of future logs. | | `s3api:PutBucketPolicy` | Updates the bucket policy to block the service from writing logs. | | `s3api:PutLifecycleConfiguration` | Changes the bucket lifecycle to automatically delete logs, reducing historical visibility. | #### IAM Role GuardDuty relies on a service-linked IAM Role, `AWSServiceRoleForAmazonGuardDuty` * The role is only assumable by the GuardDuty service and you [cannot modify the trust policy of a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html#:~:text=You%20cannot%20modify%20the%20trust%20policy) | Action | Description | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `iam:DeleteRole` | Deleting the role would cause loss of logging. \*\* This cannot be deleted unless [all related GuardDuty resources are also deleted first](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions.html#:~:text=You%20must%20first%20disable%20GuardDuty%20in%20all%20Regions%20where%20it%20is%20enabled%20in%20order%20to%20delete%20the%20AWSServiceRoleForAmazonGuardDuty). | #### SNS Topic GuardDuty can have an SNS topic for message delivery, an attacker can delete or modify the topic. | Action | Description | | ----------------- | ------------------------------------------------- | | `sns:DeleteTopic` | Deleting the SNS topic may disrupt detections. | | `sns:Unsubscribe` | Unsubscribing from alerts may disrupt detections. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-defense-evasion/guardduty-tampering.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.