Skip to content

CreateIPSet

AWS

CreateIPSet

service: AWS - GuardDuty
techniques:

Event

Creates a GuardDuty IP set — a list of trusted or known malicious IP addresses used in threat intelligence.

Security Context

  • Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.

Log Source

CloudTrail

Sample Event

Adversarial. Draco uploads a single-IP text file (containing 203.0.113.66) to a bucket the GuardDuty service can read, then calls CreateIPSet with activate: true to register it as a trusted IP set. While active, GuardDuty will not generate findings for activity originating from 203.0.113.66. This neutralizes the entire family of UnauthorizedAccess:IAMUser/MaliciousIPCaller-style findings without leaving traces in ArchiveFindings events.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T23:09:51Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "CreateIPSet",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "60000000000040008000001010011010",
"name": "trusted-internal-scanners",
"format": "TXT",
"location": "https://s3.amazonaws.com/draco-exfil-bucket-666/trusted-ips-666.txt",
"activate": true
},
"responseElements": {
"ipSetId": "60000000000040008000001010011011"
},
"requestID": "90000000-0000-4000-8000-000010001100",
"eventID": "90000000-0000-4000-8000-000010001101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...