DeleteMembers
AWS
DeleteMembers
Event
Removes member accounts from a GuardDuty administrator account, ending the delegated monitoring relationship.
Security Context
- Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — operating from a compromised role inside the security/log-archive account 555424242424 (which is the GuardDuty admin account in the persona) — calls DeleteMembers to remove the prod and sandbox accounts from the centralized GuardDuty admin’s view. Findings stop flowing centrally; defenders lose multi-account visibility. T1685.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROAGRAPH0RNADM1NR01:draco-session", "arn": "arn:aws:sts::555424242424:assumed-role/GraphornAdminRole/draco-session", "accountId": "555424242424", "accessKeyId": "ASIAGRAPH0RNSESS1ON1", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAGRAPH0RNADM1NR01", "arn": "arn:aws:iam::555424242424:role/GraphornAdminRole", "accountId": "555424242424", "userName": "GraphornAdminRole" }, "attributes": { "creationDate": "2026-04-15T19:30:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:48:22Z", "eventSource": "guardduty.amazonaws.com", "eventName": "DeleteMembers", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "detectorId": "60000000-0000-4000-8000-000011011110", "accountIds": [ "555123456789", "555098765432" ] }, "responseElements": { "unprocessedAccounts": [] }, "requestID": "90000000-0000-4000-8000-000011101100", "eventID": "90000000-0000-4000-8000-000011101101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555424242424", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...