AWS ArchiveFindings
Archives GuardDuty findings to suppress active security alerts from SOC visibility.
Defense Evasion
Defense Evasion
Section titled “Defense Evasion”The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
In cloud environments, adversaries evade detection by disabling logging services (CloudTrail, Azure Monitor), modifying security group rules, deleting or tampering with audit logs, or stopping monitoring agents like GuardDuty. They may also operate from within trusted IP ranges or use legitimate cloud services to blend in with normal activity.
View Defense Evasion on MITRE ATT&CK →Events Related to Defense Evasion
Section titled “Events Related to Defense Evasion”AWS AuthorizeDBSecurityGroupIngress
Adds inbound rules to an RDS DB security group, allowing specified IP ranges or EC2 security groups to access the database.
AWS AuthorizeSecurityGroupEgress
Adds outbound rules to a VPC security group, permitting traffic from instances to specified destination IP ranges or security groups.
AWS AuthorizeSecurityGroupIngress
Adds inbound rules to a VPC security group, permitting traffic from specified IP ranges or security groups to reach instances.
GCP compute.firewalls.delete
Deletes a firewall rule from a GCP VPC network.
GCP compute.firewalls.patch
Modifies an existing firewall rule in a GCP VPC network.
AWS CreateFilter
Creates a GuardDuty finding filter that automatically suppresses or highlights findings matching specified criteria.
AWS CreateIPSet
Creates a GuardDuty IP set — a list of trusted or known malicious IP addresses used in threat intelligence.
AWS CreateNetworkAclEntry
Adds an allow or deny rule to a Network ACL, controlling traffic entering or leaving a specific VPC subnet.
AWS DeactivateMFADevice
Deactivates an MFA device associated with an IAM user, removing the MFA requirement for their authentication.
AWS DeleteAccessKey
Permanently deletes an IAM user's access key, revoking the associated programmatic access credentials.
AWS DeleteAlarms
Deletes one or more CloudWatch alarms, removing their monitoring configurations and associated notifications.
AWS DeleteBucket
Permanently deletes an S3 bucket; the bucket must be empty before deletion can succeed.
AWS DeleteBucketPolicy
Removes the resource-based policy from an S3 bucket, reverting to default access controls.
AWS DeleteConfigRule
Deletes an AWS Config rule that was evaluating the compliance of AWS resource configurations.
AWS DeleteConfigurationRecorder
Deletes the AWS Config configuration recorder, stopping resource configuration recording in the region.
AWS DeleteDeliveryChannel
Deletes the AWS Config delivery channel, stopping delivery of configuration snapshots and change notifications to S3 or SNS.
AWS DeleteDetector
Disables and permanently deletes a GuardDuty detector in the region, stopping all threat detection.
AWS DeleteEventDataStore
Deletes a CloudTrail Lake event data store, destroying stored forensic evidence and audit logs.
AWS DeleteFlowLogs
Deletes VPC Flow Log configurations, stopping the capture of network traffic metadata for the specified resources.
AWS DeleteLogGroup
Permanently deletes a CloudWatch Logs log group and all its log streams and stored data.
AWS DeleteLoginProfile
Removes an IAM user's console password, preventing them from signing in to the AWS Management Console.
AWS DeleteLogStream
Permanently deletes a log stream and all its events from within a CloudWatch Logs log group.
AWS DeleteMembers
Removes member accounts from a GuardDuty administrator account, ending the delegated monitoring relationship.
AWS DeleteNetworkAcl
Deletes a Network ACL from a VPC; the default NACL cannot be deleted.
AWS DeleteNetworkAclEntry
Removes a rule from a Network ACL, modifying traffic filtering for the associated VPC subnet.
AWS DeleteRolePermissionsBoundary
Removes the permissions boundary from an IAM role, potentially expanding the role's maximum effective permissions.
AWS DeleteRolePolicy
Deletes an inline policy embedded directly in an IAM role.
AWS DeleteRuleGroup
Permanently deletes a WAF rule group containing a set of web traffic filtering rules.
AWS DeleteTrail
Permanently deletes a CloudTrail trail, stopping API activity logging for that trail configuration.
AWS DeleteUser
Permanently deletes an IAM user; all attached policies, group memberships, and keys must be removed first.
AWS DeleteUserPermissionsBoundary
Removes the permissions boundary from an IAM user, potentially expanding their maximum effective permissions.
AWS DeleteUserPolicy
Deletes an inline policy embedded directly in an IAM user.
AWS DeleteWebACL
Permanently deletes a WAF Web ACL used to protect web applications from common web threats.
AWS DetachRolePolicy
Detaches a managed IAM policy from a role, removing those permissions from the role's effective policy.
AWS DetachUserPolicy
Detaches a managed IAM policy from an IAM user, removing those permissions from the user.
AWS DisassociateFromMasterAccount
Disassociates the current account from its GuardDuty administrator account, ending the delegated monitoring relationship.
AWS DisassociateMembers
Disassociates specified member accounts from a GuardDuty administrator account.
AWS EnableRegion
Enables a previously disabled AWS region for the account, making its services available for use.
GCP google.cloud.securitycenter.v1.SecurityCenter.SetMute
Mutes Security Command Center findings, suppressing security alerts from visibility.
GCP google.iam.admin.v1.DeleteServiceAccountKey
Deletes a service account key, potentially removing evidence of attacker-created credentials.
GCP google.logging.v2.ConfigServiceV2.DeleteLog
Deletes log entries from Cloud Logging, destroying forensic evidence of attacker activity.
GCP google.logging.v2.ConfigServiceV2.UpdateExclusion
Modifies a logging exclusion filter to silently drop specific log entries, hiding ongoing attacker activity.
AWS LeaveOrganization
Removes the current member account from its AWS Organization; the management account cannot leave.
GCP logging.projects.exclusions.create
Creates a log exclusion rule in Cloud Logging that prevents matching log entries from being ingested.
GCP logging.sinks.delete
Deletes a Cloud Logging sink that was routing log entries to a destination such as Cloud Storage or BigQuery.
GCP logging.sinks.update
Modifies a Cloud Logging sink's configuration, such as its destination or log filter criteria.
Azure Microsoft.Authorization/locks/delete
Deletes a resource lock, removing protection against deletion or modification of critical resources.
Azure Microsoft.Compute/virtualMachines/delete
Permanently deletes an Azure virtual machine.
Azure Microsoft.EventHub/namespaces/eventhubs/delete
Permanently deletes an Azure Event Hub entity within a namespace.
Azure Microsoft.HybridCompute/machines/extensions/delete
Removes an extension from an Azure Arc-enabled server.
Azure Microsoft.Insights/activityLogAlerts/delete
Deletes an activity log alert rule, disabling security detection and notification capabilities.
Azure Microsoft.Insights/diagnosticSettings/delete
Deletes an Azure Monitor diagnostic setting, stopping the forwarding of logs and metrics to a configured destination.
Azure Microsoft.Insights/metricAlerts/delete
Deletes an Azure Monitor metric alert rule.
Azure Microsoft.KeyVault/vaults/delete
Permanently deletes an Azure Key Vault; without soft-delete, all secrets, keys, and certificates are unrecoverable.
Azure Microsoft.KeyVault/vaults/secrets/delete
Deletes a secret from an Azure Key Vault.
Azure Microsoft.Network/networkSecurityGroups/delete
Deletes a network security group, removing network access controls from associated resources.
Azure Microsoft.Network/networkSecurityGroups/securityRules/write
Creates or updates a security rule in an Azure Network Security Group, controlling inbound or outbound traffic.
Azure Microsoft.Network/networkWatchers/flowLogs/delete
Deletes an NSG flow log configuration, stopping the capture of network traffic metadata for a network security group.
Azure Microsoft.OperationalInsights/workspaces/delete
Permanently deletes a Log Analytics workspace and its stored data.
Azure Microsoft.RecoveryServices/vaults/backupProtectedItems/delete
Removes a protected item from Azure Backup, stopping protection and deleting associated backup data.
Azure Microsoft.Security/alertsSuppressionRules/write
Creates or updates a suppression rule in Microsoft Defender for Cloud, hiding matching security alerts.
Azure Microsoft.Security/autoProvisioningSettings/write
Modifies auto-provisioning settings, potentially disabling automatic deployment of security monitoring agents.
Azure Microsoft.Security/pricings/write
Changes the pricing tier (plan) for Microsoft Defender for Cloud on a subscription or specific resource type.
Azure Microsoft.Security/securitySolutions/delete
Removes a security solution integrated with Microsoft Defender for Cloud.
Azure Microsoft.Storage/storageAccounts/delete
Permanently deletes an Azure Storage account and all of its data.
Azure Microsoft.Storage/storageAccounts/stopLogging/action
Stops logging for an Azure Storage account, disabling the collection of storage analytics logs.
AWS ModifyImageAttribute
Modifies attributes of an AMI, such as making it public or sharing it with specific AWS accounts.
AWS ModifyInstanceAttribute
Modifies a specific attribute of an EC2 instance, such as its instance type, user data, or security groups.
AWS PutBucketAcl
Sets the Access Control List (ACL) for an S3 bucket, controlling access for specific AWS accounts or predefined groups.
AWS PutBucketLifecycle
Sets lifecycle configuration on an S3 bucket to automate object transitions or expiration over time.
AWS PutBucketLifecycleConfiguration
Sets lifecycle rules on an S3 bucket to automatically transition objects to cheaper storage tiers or expire them.
AWS PutBucketPolicy
Applies or replaces the resource-based policy on an S3 bucket, defining who can access it and how.
AWS PutBucketPublicAccessBlock
Modifies S3 bucket public access block settings, potentially disabling protections to allow public data exposure.
AWS PutEventSelectors
Configures which API events (management or data, read/write) a CloudTrail trail records.
AWS PutRolePermissionsBoundary
Sets a permissions boundary on an IAM role, capping the maximum permissions the role can be granted.
AWS PutUserPermissionsBoundary
Sets a permissions boundary on an IAM user, limiting the maximum permissions they can ever be granted.
AWS RemoveAccountFromOrganization
Removes an AWS account from the organization, stripping it of SCP protections and centralized security controls.
AWS ScheduleKeyDeletion
Schedules a KMS customer managed key for deletion after a waiting period (7-30 days), after which encrypted data is unrecoverable.
GCP secretmanager.secrets.delete
Permanently deletes a secret and all of its versions from GCP Secret Manager.
GCP SecretManagerService.DestroySecretVersion
Permanently destroys a specific version of a secret in GCP Secret Manager, making its data irrecoverable.
GCP Securitycenter.settings.update
Updates the settings or configuration of Google Security Command Center for the organization or project.
GCP Securitycenter.sources.delete
Deletes a finding source from Google Security Command Center.
AWS StopConfigurationRecorder
Stops AWS Config from recording resource configuration changes in the region.
AWS StopLogging
Stops logging API activity for a CloudTrail trail, disabling audit log collection for that trail.
AWS StopMonitoringMembers
Stops GuardDuty from monitoring specified member accounts under an administrator account.
GCP storage.buckets.delete
Permanently deletes a GCP Cloud Storage bucket; the bucket must be empty before deletion.
GCP storage.setIamPermissions
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.
AWS TerminateInstances
Permanently terminates one or more EC2 instances, releasing instance store data and associated resources.
Azure Update Conditional Access Policy
Modifies an existing Conditional Access policy, changing the conditions or controls that govern how users authenticate.
Azure Update named location
Updates a named location definition (IP ranges or countries) used in Entra ID Conditional Access policy conditions.
Azure Update User Authentication Methods
Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.
AWS UpdateDetector
Updates the configuration of a GuardDuty detector, such as enabling or disabling specific threat detection data sources.
AWS UpdateFindingsFeedback
Updates the feedback status on GuardDuty findings, marking them as useful or not useful.
AWS UpdateIPSet
Modifies the IP addresses or CIDR ranges in a GuardDuty IP set used for threat intelligence.
AWS UpdateTrail
Modifies the configuration of an existing CloudTrail trail, such as its S3 bucket, log validation, or multi-region settings.
Azure VaultPatch
Updates the properties of an Azure Key Vault, such as its access policies, network rules, or soft-delete configuration.