Skip to content

UpdateIPSet

AWS

UpdateIPSet

service: AWS - GuardDuty
techniques:

Event

Modifies the IP addresses or CIDR ranges in a GuardDuty IP set used for threat intelligence.

Security Context

  • Disabling security monitoring tools eliminates visibility into adversary activity, allowing subsequent attack stages to proceed undetected.

Log Source

CloudTrail

Sample Event

Adversarial. Draco updates the trusted-IP set corp-egress to point at a new S3 location whose contents include 203.0.113.66/32 and 203.0.113.77/32 (his egress IPs). Once GuardDuty fetches the new list (the next sync cycle), traffic from his addresses is excluded from anomaly detection. The IP-set update itself is the logged event; the contents live in S3 and aren’t in the CloudTrail event. T1685.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:50:09Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "UpdateIPSet",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "abc12def34ghi56jkl78mno90pqrstu1",
"ipSetId": "60000000-0000-4000-8000-000000000111",
"name": "corp-egress",
"location": "https://fantasticlogs-niffler-archive.s3.us-east-1.amazonaws.com/security/trusted-ips/corp-egress.txt",
"activate": true
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000111001110",
"eventID": "90000000-0000-4000-8000-000111001111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...