Skip to content

DisassociateMembers

AWS

DisassociateMembers

service: AWS - GuardDuty
techniques:

Event

Disassociates specified member accounts from a GuardDuty administrator account.

Security Context

  • Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.

Log Source

CloudTrail

Sample Event

Adversarial. Draco has pivoted into the GuardDuty administrator account (security account 555424242424) by abusing a cross-account assume-role chain. From there, he disassociates the production member account 555123456789 from central GuardDuty so that the prod account’s findings stop forwarding. This is the administrator-side counterpart to DisassociateFromMasterAccount — both blind the SOC, but this one is far more damaging because a single call can quietly remove many member accounts at once. T1685.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA0RGACCESS0RG007:draco-pivot",
"arn": "arn:aws:sts::555424242424:assumed-role/OrgAccessRole/draco-pivot",
"accountId": "555424242424",
"accessKeyId": "ASIADRAC0PIV0TSESS001",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA0RGACCESS0RG007",
"arn": "arn:aws:iam::555424242424:role/OrgAccessRole",
"accountId": "555424242424",
"userName": "OrgAccessRole"
},
"attributes": {
"creationDate": "2026-04-15T20:42:01Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:46:09Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "DisassociateMembers",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "fa987654321edcba0987654321fedcba",
"accountIds": [
"555123456789"
]
},
"responseElements": {
"unprocessedAccounts": []
},
"requestID": "90000000-0000-4000-8000-000100110100",
"eventID": "90000000-0000-4000-8000-000100110101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555424242424",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...