Skip to content

DisassociateFromMasterAccount

AWS

DisassociateFromMasterAccount

service: AWS - GuardDuty
techniques:

Event

Disassociates the current account from its GuardDuty administrator account, ending the delegated monitoring relationship.

Security Context

  • Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — having compromised a privileged user in the production member account 555123456789 — calls DisassociateFromMasterAccount to break the GuardDuty delegated-administrator relationship with the security/audit account 555424242424. After this, GuardDuty findings in 555123456789 no longer flow to the central security account, blinding the SOC just before destructive follow-on activity (T1685).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T20:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:38:55Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "DisassociateFromMasterAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "12abc34d567e8fa901bc2d34e56789f0"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000100110010",
"eventID": "90000000-0000-4000-8000-000100110011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...