AWS CreateFilter
Creates a GuardDuty finding filter that automatically suppresses or highlights findings matching specified criteria.
T1562: Impair Defenses
T1562: Impair Defenses
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...
View on MITRE ATT&CK →AWS DeleteAccessKey
Permanently deletes an IAM user's access key, revoking the associated programmatic access credentials.
AWS DeleteAlarms
Deletes one or more CloudWatch alarms, removing their monitoring configurations and associated notifications.
AWS DeleteBucket
Permanently deletes an S3 bucket; the bucket must be empty before deletion can succeed.
AWS DeleteBucketPolicy
Removes the resource-based policy from an S3 bucket, reverting to default access controls.
AWS DeleteConfigRule
Deletes an AWS Config rule that was evaluating the compliance of AWS resource configurations.
AWS DeleteConfigurationRecorder
Deletes the AWS Config configuration recorder, stopping resource configuration recording in the region.
AWS DeleteDeliveryChannel
Deletes the AWS Config delivery channel, stopping delivery of configuration snapshots and change notifications to S3 or SNS.
AWS DeleteDetector
Disables and permanently deletes a GuardDuty detector in the region, stopping all threat detection.
AWS DeleteFlowLogs
Deletes VPC Flow Log configurations, stopping the capture of network traffic metadata for the specified resources.
AWS DeleteLoginProfile
Removes an IAM user's console password, preventing them from signing in to the AWS Management Console.
AWS DeleteRolePermissionsBoundary
Removes the permissions boundary from an IAM role, potentially expanding the role's maximum effective permissions.
AWS DeleteRolePolicy
Deletes an inline policy embedded directly in an IAM role.
AWS DeleteRuleGroup
Permanently deletes a WAF rule group containing a set of web traffic filtering rules.
AWS DeleteUser
Permanently deletes an IAM user; all attached policies, group memberships, and keys must be removed first.
AWS DeleteUserPermissionsBoundary
Removes the permissions boundary from an IAM user, potentially expanding their maximum effective permissions.
AWS DeleteUserPolicy
Deletes an inline policy embedded directly in an IAM user.
AWS DeleteWebACL
Permanently deletes a WAF Web ACL used to protect web applications from common web threats.
AWS DetachRolePolicy
Detaches a managed IAM policy from a role, removing those permissions from the role's effective policy.
AWS DetachUserPolicy
Detaches a managed IAM policy from an IAM user, removing those permissions from the user.
AWS LeaveOrganization
Removes the current member account from its AWS Organization; the management account cannot leave.
GCP logging.projects.exclusions.create
Creates a log exclusion rule in Cloud Logging that prevents matching log entries from being ingested.
Azure Microsoft.Authorization/locks/delete
Deletes a resource lock, removing protection against deletion or modification of critical resources.
Azure Microsoft.Compute/virtualMachines/delete
Permanently deletes an Azure virtual machine.
Azure Microsoft.EventHub/namespaces/eventhubs/delete
Permanently deletes an Azure Event Hub entity within a namespace.
Azure Microsoft.Insights/diagnosticSettings/delete
Deletes an Azure Monitor diagnostic setting, stopping the forwarding of logs and metrics to a configured destination.
Azure Microsoft.Insights/metricAlerts/delete
Deletes an Azure Monitor metric alert rule.
Azure Microsoft.KeyVault/vaults/delete
Permanently deletes an Azure Key Vault; without soft-delete, all secrets, keys, and certificates are unrecoverable.
Azure Microsoft.KeyVault/vaults/secrets/delete
Deletes a secret from an Azure Key Vault.
Azure Microsoft.Network/networkSecurityGroups/delete
Deletes a network security group, removing network access controls from associated resources.
Azure Microsoft.Network/networkWatchers/flowLogs/delete
Deletes an NSG flow log configuration, stopping the capture of network traffic metadata for a network security group.
Azure Microsoft.RecoveryServices/vaults/backupProtectedItems/delete
Removes a protected item from Azure Backup, stopping protection and deleting associated backup data.
Azure Microsoft.Security/alertsSuppressionRules/write
Creates or updates a suppression rule in Microsoft Defender for Cloud, hiding matching security alerts.
Azure Microsoft.Security/pricings/write
Changes the pricing tier (plan) for Microsoft Defender for Cloud on a subscription or specific resource type.
Azure Microsoft.Security/securitySolutions/delete
Removes a security solution integrated with Microsoft Defender for Cloud.
Azure Microsoft.Storage/storageAccounts/delete
Permanently deletes an Azure Storage account and all of its data.
AWS ModifyImageAttribute
Modifies attributes of an AMI, such as making it public or sharing it with specific AWS accounts.
AWS ModifyInstanceAttribute
Modifies a specific attribute of an EC2 instance, such as its instance type, user data, or security groups.
AWS PutBucketAcl
Sets the Access Control List (ACL) for an S3 bucket, controlling access for specific AWS accounts or predefined groups.
AWS PutBucketLifecycle
Sets lifecycle configuration on an S3 bucket to automate object transitions or expiration over time.
AWS PutBucketLifecycleConfiguration
Sets lifecycle rules on an S3 bucket to automatically transition objects to cheaper storage tiers or expire them.
AWS PutBucketPolicy
Applies or replaces the resource-based policy on an S3 bucket, defining who can access it and how.
AWS PutBucketPublicAccessBlock
Modifies S3 bucket public access block settings, potentially disabling protections to allow public data exposure.
AWS PutRolePermissionsBoundary
Sets a permissions boundary on an IAM role, capping the maximum permissions the role can be granted.
AWS PutUserPermissionsBoundary
Sets a permissions boundary on an IAM user, limiting the maximum permissions they can ever be granted.
AWS RemoveAccountFromOrganization
Removes an AWS account from the organization, stripping it of SCP protections and centralized security controls.
AWS ScheduleKeyDeletion
Schedules a KMS customer managed key for deletion after a waiting period (7-30 days), after which encrypted data is unrecoverable.
GCP secretmanager.secrets.delete
Permanently deletes a secret and all of its versions from GCP Secret Manager.
GCP SecretManagerService.DestroySecretVersion
Permanently destroys a specific version of a secret in GCP Secret Manager, making its data irrecoverable.
GCP Securitycenter.settings.update
Updates the settings or configuration of Google Security Command Center for the organization or project.
GCP Securitycenter.sources.delete
Deletes a finding source from Google Security Command Center.
AWS StopConfigurationRecorder
Stops AWS Config from recording resource configuration changes in the region.
AWS StopMonitoringMembers
Stops GuardDuty from monitoring specified member accounts under an administrator account.
GCP storage.buckets.delete
Permanently deletes a GCP Cloud Storage bucket; the bucket must be empty before deletion.
GCP storage.setIamPermissions
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.
AWS TerminateInstances
Permanently terminates one or more EC2 instances, releasing instance store data and associated resources.
Azure Update Conditional Access Policy
Modifies an existing Conditional Access policy, changing the conditions or controls that govern how users authenticate.
Azure Update named location
Updates a named location definition (IP ranges or countries) used in Entra ID Conditional Access policy conditions.
AWS UpdateDetector
Updates the configuration of a GuardDuty detector, such as enabling or disabling specific threat detection data sources.
Azure VaultPatch
Updates the properties of an Azure Key Vault, such as its access policies, network rules, or soft-delete configuration.