StopMonitoringMembers
Event
Stops GuardDuty from monitoring specified member accounts under an administrator account.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.
- Modifications to logging and monitoring infrastructure can create blind spots that allow adversary activity to go undetected.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...