Skip to content

DeleteMembers

AWS

DeleteMembers

service: AWS - GuardDuty
techniques:

Event

Removes member accounts from a GuardDuty administrator account, ending the delegated monitoring relationship.

Security Context

  • Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — operating from a compromised role inside the security/log-archive account 555424242424 (which is the GuardDuty admin account in the persona) — calls DeleteMembers to remove the prod and sandbox accounts from the centralized GuardDuty admin’s view. Findings stop flowing centrally; defenders lose multi-account visibility. T1685.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAGRAPH0RNADM1NR01:draco-session",
"arn": "arn:aws:sts::555424242424:assumed-role/GraphornAdminRole/draco-session",
"accountId": "555424242424",
"accessKeyId": "ASIAGRAPH0RNSESS1ON1",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAGRAPH0RNADM1NR01",
"arn": "arn:aws:iam::555424242424:role/GraphornAdminRole",
"accountId": "555424242424",
"userName": "GraphornAdminRole"
},
"attributes": {
"creationDate": "2026-04-15T19:30:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:48:22Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "DeleteMembers",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "60000000-0000-4000-8000-000011011110",
"accountIds": [
"555123456789",
"555098765432"
]
},
"responseElements": {
"unprocessedAccounts": []
},
"requestID": "90000000-0000-4000-8000-000011101100",
"eventID": "90000000-0000-4000-8000-000011101101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555424242424",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...