Skip to content

DeleteDetector

AWS

DeleteDetector

service: AWS - GuardDuty
techniques:

Event

Disables and permanently deletes a GuardDuty detector in the region, stopping all threat detection.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.

Log Source

CloudTrail

Sample Event

Adversarial. Draco deletes the production GuardDuty detector in us-east-1, stopping all threat detection (CloudTrail, VPC Flow Logs, DNS) and permanently dropping historical findings. T1685 — the textbook GuardDuty kill, lifted directly from Stratus Red Team’s aws.defense-evasion.guardduty-delete technique.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:18:54Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "DeleteDetector",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "60000000-0000-4000-8000-000011011110"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000011011100",
"eventID": "90000000-0000-4000-8000-000011011101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...