DisassociateMembers
AWS
DisassociateMembers
Event
Disassociates specified member accounts from a GuardDuty administrator account.
Security Context
- Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.
Log Source
CloudTrail
Sample Event
Adversarial. Draco has pivoted into the GuardDuty administrator account (security account 555424242424) by abusing a cross-account assume-role chain. From there, he disassociates the production member account 555123456789 from central GuardDuty so that the prod account’s findings stop forwarding. This is the administrator-side counterpart to DisassociateFromMasterAccount — both blind the SOC, but this one is far more damaging because a single call can quietly remove many member accounts at once. T1685.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA0RGACCESS0RG007:draco-pivot", "arn": "arn:aws:sts::555424242424:assumed-role/OrgAccessRole/draco-pivot", "accountId": "555424242424", "accessKeyId": "ASIADRAC0PIV0TSESS001", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA0RGACCESS0RG007", "arn": "arn:aws:iam::555424242424:role/OrgAccessRole", "accountId": "555424242424", "userName": "OrgAccessRole" }, "attributes": { "creationDate": "2026-04-15T20:42:01Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:46:09Z", "eventSource": "guardduty.amazonaws.com", "eventName": "DisassociateMembers", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "detectorId": "fa987654321edcba0987654321fedcba", "accountIds": [ "555123456789" ] }, "responseElements": { "unprocessedAccounts": [] }, "requestID": "90000000-0000-4000-8000-000100110100", "eventID": "90000000-0000-4000-8000-000100110101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555424242424", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...