Skip to content

StopMonitoringMembers

AWS

StopMonitoringMembers

service: AWS - GuardDuty
techniques:

Event

Stops GuardDuty from monitoring specified member accounts under an administrator account.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.
  • Modifications to logging and monitoring infrastructure can create blind spots that allow adversary activity to go undetected.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — operating in the security/audit account 555424242424 (the GuardDuty admin account from the persona doc) via a chained AssumeRole — calls StopMonitoringMembers against the production member account 555123456789. Production GuardDuty findings will no longer be aggregated to the security account; the production account’s local detector still runs (unless he disables it separately) but downstream alerting often watches only the centralized aggregator. T1685.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAERUMPENT1RR0006:draco-ir-session",
"arn": "arn:aws:sts::555424242424:assumed-role/IncidentResponseRole/draco-ir-session",
"accountId": "555424242424",
"accessKeyId": "ASIAERUMPENT1RSESS01",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAERUMPENT1RR0006",
"arn": "arn:aws:iam::555424242424:role/IncidentResponseRole",
"accountId": "555424242424",
"userName": "IncidentResponseRole"
},
"attributes": {
"creationDate": "2026-04-15T20:55:00Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:08:36Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "StopMonitoringMembers",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "abc12def34ghi56jkl78mno90pqrstu1",
"accountIds": ["555123456789"]
},
"responseElements": {
"unprocessedAccounts": []
},
"requestID": "90000000-0000-4000-8000-000110111100",
"eventID": "90000000-0000-4000-8000-000110111101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555424242424",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...