docs.aws.amazon.com Open in urlscan Pro
18.66.147.13 Public Scan

Back to summary

Submitted URL:
http://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html
Effective URL:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html
Submission: On May 19 via api (May 19th 2023, 12:04:21 am UTC) from US — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies

CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.

ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.

PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed

FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed

ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

CancelSave preferences

UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss

Create an AWS Account
1. AWS
2. ...

3. Documentation
4. Amazon GuardDuty
5. Amazon GuardDuty User Guide

Feedback
Preferences

AMAZON GUARDDUTY

AMAZON GUARDDUTY USER GUIDE

* What is GuardDuty?
* Getting started
* Concepts and terminology
* GuardDuty features activation
* GuardDuty API changes

* Foundational data sources
* GuardDuty EKS Protection
* Features
* EKS Audit Log Monitoring
* EKS Runtime Monitoring
* Configuring EKS Runtime Monitoring
* Managing GuardDuty agent manually
* Amazon ECR repository hosting GuardDuty agent
* Coverage
* Runtime event types
* EKS add-on agent release history

* GuardDuty Lambda Protection
* Feature
* Configuring Lambda Protection

* GuardDuty Malware Protection
* Feature
* GuardDuty service account
* Customizations in Malware Protection
* GuardDuty-initiated malware scan
* Configuring GuardDuty-initiated malware scan
* Findings that invoke GuardDuty-initiated malware scan

* On-demand malware scan
* Getting started

* Monitoring malware scan statuses and results
* Malware Protection quotas

* GuardDuty RDS Protection
* Feature

* GuardDuty S3 Protection
* Feature

* Understanding findings
* Finding details
* GuardDuty finding format
* Sample findings

* Finding types
* EC2 finding types
* EKS Runtime Monitoring finding types
* IAM finding types
* Kubernetes audit logs finding types
* Lambda Protection finding types
* Malware Protection finding types
* RDS Protection finding types
* S3 finding types
* Retired finding types

* Managing findings
* Filtering findings
* Suppression rules
* Trusted and threat IP lists
* Exporting findings
* Automating responses with CloudWatch Events
* Understanding CloudWatch Logs and reasons for skipping resources
* Reporting false positives in Malware Protection

* Remediating findings
* Remediating EKS Audit Log Monitoring findings
* Remediating EKS Runtime Monitoring findings
* Remediating a compromised database
* Remediating a compromised Lambda function

* Managing multiple accounts
* Managing accounts with AWS Organizations
* Managing accounts by invitation

* Estimating cost
* Security
* Data protection
* Encryption at rest
* Encryption in transit
* Opting out of using your data for service improvement

* Logging with CloudTrail
* Example: GuardDuty log file entries

* Identity and Access Management
* How Amazon GuardDuty works with IAM
* Identity-based policy examples
* Using service-linked roles
* Service-linked role permissions for GuardDuty
* Service-linked role permissions for Malware Protection

* Troubleshooting
* AWS managed policies

* Compliance validation
* Resilience
* Infrastructure security

* GuardDuty integrations
* Security Hub integration
* Detective integration

* Suspending or disabling
* GuardDuty announcements
* Quotas
* Troubleshooting
* Regions and endpoints
* Document history
* AWS glossary

GuardDuty EC2 finding types - Amazon GuardDuty
AWSDocumentationAmazon GuardDutyAmazon GuardDuty User Guide
Backdoor:EC2/C&CActivity.BBackdoor:EC2/C&CActivity.B!DNSBackdoor:EC2/DenialOfService.DnsBackdoor:EC2/DenialOfService.TcpBackdoor:EC2/DenialOfService.UdpBackdoor:EC2/DenialOfService.UdpOnTcpPortsBackdoor:EC2/DenialOfService.UnusualProtocolBackdoor:EC2/SpambotBehavior:EC2/NetworkPortUnusualBehavior:EC2/TrafficVolumeUnusualCryptoCurrency:EC2/BitcoinTool.BCryptoCurrency:EC2/BitcoinTool.B!DNSDefenseEvasion:EC2/UnusualDNSResolverDefenseEvasion:EC2/UnusualDoHActivityDefenseEvasion:EC2/UnusualDoTActivityImpact:EC2/AbusedDomainRequest.ReputationImpact:EC2/BitcoinDomainRequest.ReputationImpact:EC2/MaliciousDomainRequest.ReputationImpact:EC2/PortSweepImpact:EC2/SuspiciousDomainRequest.ReputationImpact:EC2/WinRMBruteForceRecon:EC2/PortProbeEMRUnprotectedPortRecon:EC2/PortProbeUnprotectedPortRecon:EC2/PortscanTrojan:EC2/BlackholeTrafficTrojan:EC2/BlackholeTraffic!DNSTrojan:EC2/DGADomainRequest.BTrojan:EC2/DGADomainRequest.C!DNSTrojan:EC2/DNSDataExfiltrationTrojan:EC2/DriveBySourceTraffic!DNSTrojan:EC2/DropPointTrojan:EC2/DropPoint!DNSTrojan:EC2/PhishingDomainRequest!DNSUnauthorizedAccess:EC2/MaliciousIPCaller.CustomUnauthorizedAccess:EC2/MetadataDNSRebindUnauthorizedAccess:EC2/RDPBruteForceUnauthorizedAccess:EC2/SSHBruteForceUnauthorizedAccess:EC2/TorClientUnauthorizedAccess:EC2/TorRelay

GUARDDUTY EC2 FINDING TYPES

PDFRSS

The following findings are specific to Amazon EC2 resources and always have a
Resource Type of Instance. The severity and details of the findings differ based
on the Resource Role, which indicates whether the EC2 resource was the target of
suspicious activity or the actor performing the activity.

The findings listed here include the data sources and models used to generate
that finding type. For more information data sources and models see Foundational
data sources.

NOTE

Instance details may be missing for some EC2 findings if the instance has
already been terminated or if the underlying API call was part of a cross-Region
API call that originated from an EC2 instance in a different Region.

For all EC2 findings, it is recommended that you examine the resource in
question to determine if it is behaving in an expected manner. If the activity
is authorized, you can use Suppression Rules or Trusted IP lists to prevent
false positive notifications for that resource. If the activity is unexpected,
the security best practice is to assume the instance has been compromised and
take the actions detailed in Remediating a compromised EC2 instance.

TOPICS

* Backdoor:EC2/C&CActivity.B
* Backdoor:EC2/C&CActivity.B!DNS
* Backdoor:EC2/DenialOfService.Dns
* Backdoor:EC2/DenialOfService.Tcp
* Backdoor:EC2/DenialOfService.Udp
* Backdoor:EC2/DenialOfService.UdpOnTcpPorts
* Backdoor:EC2/DenialOfService.UnusualProtocol
* Backdoor:EC2/Spambot
* Behavior:EC2/NetworkPortUnusual
* Behavior:EC2/TrafficVolumeUnusual
* CryptoCurrency:EC2/BitcoinTool.B
* CryptoCurrency:EC2/BitcoinTool.B!DNS
* DefenseEvasion:EC2/UnusualDNSResolver
* DefenseEvasion:EC2/UnusualDoHActivity
* DefenseEvasion:EC2/UnusualDoTActivity
* Impact:EC2/AbusedDomainRequest.Reputation
* Impact:EC2/BitcoinDomainRequest.Reputation
* Impact:EC2/MaliciousDomainRequest.Reputation
* Impact:EC2/PortSweep
* Impact:EC2/SuspiciousDomainRequest.Reputation
* Impact:EC2/WinRMBruteForce
* Recon:EC2/PortProbeEMRUnprotectedPort
* Recon:EC2/PortProbeUnprotectedPort
* Recon:EC2/Portscan
* Trojan:EC2/BlackholeTraffic
* Trojan:EC2/BlackholeTraffic!DNS
* Trojan:EC2/DGADomainRequest.B
* Trojan:EC2/DGADomainRequest.C!DNS
* Trojan:EC2/DNSDataExfiltration
* Trojan:EC2/DriveBySourceTraffic!DNS
* Trojan:EC2/DropPoint
* Trojan:EC2/DropPoint!DNS
* Trojan:EC2/PhishingDomainRequest!DNS
* UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
* UnauthorizedAccess:EC2/MetadataDNSRebind
* UnauthorizedAccess:EC2/RDPBruteForce
* UnauthorizedAccess:EC2/SSHBruteForce
* UnauthorizedAccess:EC2/TorClient
* UnauthorizedAccess:EC2/TorRelay

BACKDOOR:EC2/C&CACTIVITY.B

AN EC2 INSTANCE IS QUERYING AN IP THAT IS ASSOCIATED WITH A KNOWN COMMAND AND
CONTROL SERVER.

Default severity: High

* Data source: VPC flow logs

This finding informs you that the listed instance within your AWS environment is
querying an IP associated with a known command and control (C&C) server. The
listed instance might be compromised. Command and control servers are computers
that issue commands to members of a botnet.

A botnet is a collection of internet-connected devices which might include PCs,
servers, mobile devices, and Internet of Things devices, that are infected and
controlled by a common type of malware. Botnets are often used to distribute
malware and gather misappropriated information, such as credit card numbers.
Depending on the purpose and structure of the botnet, the C&C server might also
issue commands to begin a distributed denial of service (DDoS) attack.

NOTE

If the IP queried is log4j-related, then fields of the associated finding will
include the following values:

* service.additionalInfo.threatListName = Amazon

* service.additionalInfo.threatName = Log4j Related

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BACKDOOR:EC2/C&CACTIVITY.B!DNS

AN EC2 INSTANCE IS QUERYING A DOMAIN NAME THAT IS ASSOCIATED WITH A KNOWN
COMMAND AND CONTROL SERVER.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed instance within your AWS environment is
querying a domain name associated with a known command and control (C&C) server.
The listed instance might be compromised. Command and control servers are
computers that issue commands to members of a botnet.

NOTE

If the domain name queried is log4j-related, then the fields of the associated
finding will include the following values:

* service.additionalInfo.threatListName = Amazon

* service.additionalInfo.threatName = Log4j Related

NOTE

To test how GuardDuty generates this finding type, you can make a DNS request
from your instance (using dig for Linux or nslookup for Windows) against a test
domain guarddutyc2activityb.com.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BACKDOOR:EC2/DENIALOFSERVICE.DNS

AN EC2 INSTANCE IS BEHAVING IN A MANNER THAT MAY INDICATE IT IS BEING USED TO
PERFORM A DENIAL OF SERVICE (DOS) ATTACK USING THE DNS PROTOCOL.

Default severity: High

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance within your AWS
environment is generating a large volume of outbound DNS traffic. This may
indicate that the listed instance is compromised and being used to perform
denial-of-service (DoS) attacks using DNS protocol.

NOTE

This finding detects DoS attacks only against publicly routable IP addresses,
which are primary targets of DoS attacks.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BACKDOOR:EC2/DENIALOFSERVICE.TCP

AN EC2 INSTANCE IS BEHAVING IN A MANNER INDICATING IT IS BEING USED TO PERFORM A
DENIAL OF SERVICE (DOS) ATTACK USING THE TCP PROTOCOL.

Default severity: High

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance within your AWS
environment is generating a large volume of outbound TCP traffic. This may
indicate that the instance is compromised and being used to perform
denial-of-service (DoS) attacks using TCP protocol.

NOTE

This finding detects DoS attacks only against publicly routable IP addresses,
which are primary targets of DoS attacks.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BACKDOOR:EC2/DENIALOFSERVICE.UDP

AN EC2 INSTANCE IS BEHAVING IN A MANNER INDICATING IT IS BEING USED TO PERFORM A
DENIAL OF SERVICE (DOS) ATTACK USING THE UDP PROTOCOL.

Default severity: High

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance within your AWS
environment is generating a large volume of outbound UDP traffic. This may
indicate that the listed instance is compromised and being used to perform
denial-of-service (DoS) attacks using UDP protocol.

NOTE

This finding detects DoS attacks only against publicly routable IP addresses,
which are primary targets of DoS attacks.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BACKDOOR:EC2/DENIALOFSERVICE.UDPONTCPPORTS

AN EC2 INSTANCE IS BEHAVING IN A MANNER THAT MAY INDICATE IT IS BEING USED TO
PERFORM A DENIAL OF SERVICE (DOS) ATTACK USING THE UDP PROTOCOL ON A TCP PORT.

Default severity: High

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance within your AWS
environment is generating a large volume of outbound UDP traffic targeted to a
port that is typically used for TCP communication. This may indicate that the
listed instance is compromised and being used to perform a denial-of-service
(DoS) attacks using UDP protocol on a TCP port.

NOTE

This finding detects DoS attacks only against publicly routable IP addresses,
which are primary targets of DoS attacks.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BACKDOOR:EC2/DENIALOFSERVICE.UNUSUALPROTOCOL

AN EC2 INSTANCE IS BEHAVING IN A MANNER THAT MAY INDICATE IT IS BEING USED TO
PERFORM A DENIAL OF SERVICE (DOS) ATTACK USING AN UNUSUAL PROTOCOL.

Default severity: High

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance in your AWS environment is
generating a large volume of outbound traffic from an unusual protocol type that
is not typically used by EC2 instances, such as Internet Group Management
Protocol. This may indicate that the instance is compromised and is being used
to perform denial-of-service (DoS) attacks using an unusual protocol. This
finding detects DoS attacks only against publicly routable IP addresses, which
are primary targets of DoS attacks.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BACKDOOR:EC2/SPAMBOT

AN EC2 INSTANCE IS EXHIBITING UNUSUAL BEHAVIOR BY COMMUNICATING WITH A REMOTE
HOST ON PORT 25.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance in your AWS environment is
communicating with a remote host on port 25. This behavior is unusual because
this EC2 instance has no prior history of communications on port 25. Port 25 is
traditionally used by mail servers for SMTP communications. This finding
indicates your EC2 instance might be compromised for use in sending out spam.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BEHAVIOR:EC2/NETWORKPORTUNUSUAL

AN EC2 INSTANCE IS COMMUNICATING WITH A REMOTE HOST ON AN UNUSUAL SERVER PORT.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance in your AWS environment is
behaving in a way that deviates from the established baseline. This EC2 instance
has no prior history of communications on this remote port.

NOTE

If the EC2 instance communicated on port 389 or port 1389, then the associated
finding severity will be modified to High, and the finding fields will include
the following value:

* service.additionalInfo.context = Possible log4j callback

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

BEHAVIOR:EC2/TRAFFICVOLUMEUNUSUAL

AN EC2 INSTANCE IS GENERATING UNUSUALLY LARGE AMOUNTS OF NETWORK TRAFFIC TO A
REMOTE HOST.

Default severity: Medium

* Data source: VPC flow logs

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

CRYPTOCURRENCY:EC2/BITCOINTOOL.B

AN EC2 INSTANCE IS QUERYING AN IP ADDRESS THAT IS ASSOCIATED WITH
CRYPTOCURRENCY-RELATED ACTIVITY.

Default severity: High

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance in your AWS environment is
querying an IP Address that is associated with Bitcoin or other
cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and
digital payment system that can be exchanged for other currencies, products, and
services. Bitcoin is a reward for bitcoin-mining and is highly sought after by
threat actors.

Remediation recommendations:

If you use this EC2 instance to mine or manage cryptocurrency, or this instance
is otherwise involved in blockchain activity, this finding could be expected
activity for your environment. If this is the case in your AWS environment, we
recommend that you set up a suppression rule for this finding. The suppression
rule should consist of two filter criteria. The first criteria should use the
Finding type attribute with a value of CryptoCurrency:EC2/BitcoinTool.B. The
second filter criteria should be the Instance ID of the instance involved in
blockchain activity. To learn more about creating suppression rules see
Suppression rules.

If this activity is unexpected, your instance is likely compromised, see
Remediating a compromised EC2 instance.

CRYPTOCURRENCY:EC2/BITCOINTOOL.B!DNS

AN EC2 INSTANCE IS QUERYING A DOMAIN NAME THAT IS ASSOCIATED WITH
CRYPTOCURRENCY-RELATED ACTIVITY.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed EC2 instance in your AWS environment is
querying a domain name that is associated with Bitcoin or other
cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and
digital payment system that can be exchanged for other currencies, products, and
services. Bitcoin is a reward for bitcoin-mining and is highly sought after by
threat actors.

Remediation recommendations:

If you use this EC2 instance to mine or manage cryptocurrency, or this instance
is otherwise involved in blockchain activity, this finding could be expected
activity for your environment. If this is the case in your AWS environment, we
recommend that you set up a suppression rule for this finding. The suppression
rule should consist of two filter criteria. The first criteria should use the
Finding type attribute with a value of CryptoCurrency:EC2/BitcoinTool.B!DNS. The
second filter criteria should be the Instance ID of the instance involved in
blockchain activity. To learn more about creating suppression rules see
Suppression rules.

If this activity is unexpected, your instance is likely compromised, see
Remediating a compromised EC2 instance.

DEFENSEEVASION:EC2/UNUSUALDNSRESOLVER

AN AMAZON EC2 INSTANCE IS COMMUNICATING WITH AN UNUSUAL PUBLIC DNS RESOLVER.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that the listed Amazon EC2 instance in your AWS
environment is behaving in a way that deviates from the baseline behavior. This
EC2 instance has no recent history of communicating with this public DNS
resolver. The Unusual field in the finding details panel in the GuardDuty
console can provide information about the queried DNS resolver.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

DEFENSEEVASION:EC2/UNUSUALDOHACTIVITY

AN AMAZON EC2 INSTANCE IS PERFORMING AN UNUSUAL DNS OVER HTTPS (DOH)
COMMUNICATION.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that the listed Amazon EC2 instance within your AWS
environment is behaving in a way that deviates from the established baseline.
This EC2 instance doesn't have any recent history of DNS over HTTPS (DoH)
communications with this public DoH server. The Unusual field in the finding
details can provide information about the queried DoH server.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

DEFENSEEVASION:EC2/UNUSUALDOTACTIVITY

AN AMAZON EC2 INSTANCE IS PERFORMING AN UNUSUAL DNS OVER TLS (DOT)
COMMUNICATION.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance in your AWS environment is
behaving in a way that deviates from the established baseline. This EC2 instance
doesn't have any recent history of DNS over TLS (DoT) communications with this
public DoT server. The Unusual field in the finding details panel can provide
information about the queried DoT server.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

IMPACT:EC2/ABUSEDDOMAINREQUEST.REPUTATION

AN EC2 INSTANCE IS QUERYING A LOW REPUTATION DOMAIN NAME THAT IS ASSOCIATED WITH
KNOWN ABUSED DOMAINS.

Default severity: Medium

* Data source: DNS logs

This finding informs you that the listed Amazon EC2 instance within your AWS
environment is querying a low reputation domain name associated with known
abused domains or IP addresses. Examples of abused domains are top level domain
names (TLDs) and second-level domain names (2LDs) providing free subdomain
registrations as well as dynamic DNS providers. Threat actors tend to use these
services to register domains for free or at low costs. Low reputation domains in
this category may also be expired domains resolving to a registrar's parking IP
address and therefore may no longer be active. A parking IP is where a registrar
directs traffic for domains that have not been linked to any service. The listed
Amazon EC2 instance may be compromised as threat actors commonly use these
registrar's or services for C&C and malware distribution.

Low reputation domains are based on a reputation score model. This model
evaluates and ranks the characteristics of a domain to determine its likelihood
of being malicious.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

IMPACT:EC2/BITCOINDOMAINREQUEST.REPUTATION

AN EC2 INSTANCE IS QUERYING A LOW REPUTATION DOMAIN NAME THAT IS ASSOCIATED WITH
CRYPTOCURRENCY-RELATED ACTIVITY.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed Amazon EC2 instance within your AWS
environment is querying a low reputation domain name associated with Bitcoin or
other cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and
digital payment system that can be exchanged for other currencies, products, and
services. Bitcoin is a reward for bitcoin-mining and is highly sought after by
threat actors.

Low reputation domains are based on a reputation score model. This model
evaluates and ranks the characteristics of a domain to determine its likelihood
of being malicious.

Remediation recommendations:

If you use this EC2 instance to mine or manage cryptocurrency, or this instance
is otherwise involved in blockchain activity, this finding could represent
expected activity for your environment. If this is the case in your AWS
environment, we recommend that you set up a suppression rule for this finding.
The suppression rule should consist of two filter criteria. The first criteria
should use the Finding type attribute with a value of
Impact:EC2/BitcoinDomainRequest.Reputation. The second filter criteria should be
the Instance ID of the instance involved in blockchain activity. To learn more
about creating suppression rules see Suppression rules.

If this activity is unexpected, your instance is likely compromised, see
Remediating a compromised EC2 instance.

IMPACT:EC2/MALICIOUSDOMAINREQUEST.REPUTATION

AN EC2 INSTANCE IS QUERYING A LOW REPUTATION DOMAIN THAT IS ASSOCIATED WITH
KNOWN MALICIOUS DOMAINS.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed Amazon EC2 instance within your AWS
environment is querying a low reputation domain name associated with known
malicious domains or IP addresses. For example, domains may be associated with a
known sinkhole IP address. Sinkholed domains are domains that were previously
controlled by a threat actor, and requests made to them can indicate the
instance is compromised. These domains may also be correlated with known
malicious campaigns or domain generation algorithms.

Low reputation domains are based on a reputation score model. This model
evaluates and ranks the characteristics of a domain to determine its likelihood
of being malicious.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

IMPACT:EC2/PORTSWEEP

AN EC2 INSTANCE IS PROBING A PORT ON A LARGE NUMBER OF IP ADDRESSES.

Default severity: High

* Data source: VPC flow logs

This finding informs you the listed EC2 instance in your AWS environment is
probing a port on a large number of publicly routable IP addresses. This type of
activity is typically used to find vulnerable hosts to exploit. In the finding
details panel in your GuardDuty console, only the most recent remote IP address
gets displayed

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

IMPACT:EC2/SUSPICIOUSDOMAINREQUEST.REPUTATION

AN EC2 INSTANCE IS QUERYING A LOW REPUTATION DOMAIN NAME THAT IS SUSPICIOUS IN
NATURE DUE TO ITS AGE, OR LOW POPULARITY.

Default severity: Low

* Data source: DNS logs

This finding informs you that the listed Amazon EC2 instance within your AWS
environment is querying a low reputation domain name that is suspected of being
malicious. noticed characteristics of this domain that were consistent with
previously observed malicious domains, however, our reputation model was unable
to definitively relate it to a known threat. These domains are typically newly
observed or receive a low amount of traffic.

Low reputation domains are based on a reputation score model. This model
evaluates and ranks the characteristics of a domain to determine its likelihood
of being malicious.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

IMPACT:EC2/WINRMBRUTEFORCE

AN EC2 INSTANCE IS PERFORMING AN OUTBOUND WINDOWS REMOTE MANAGEMENT BRUTE FORCE
ATTACK.

Default severity: Low*

NOTE

This finding's severity is low if your EC2 instance was the target of a brute
force attack. This finding's severity is high if your EC2 instance is the actor
being used to perform the brute force attack.

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance in your AWS environment is
performing a Windows Remote Management (WinRM) brute force attack aimed at
gaining access to the Windows Remote Management service on Windows-based
systems.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

RECON:EC2/PORTPROBEEMRUNPROTECTEDPORT

AN EC2 INSTANCE HAS AN UNPROTECTED EMR RELATED PORT WHICH IS BEING PROBED BY A
KNOWN MALICIOUS HOST.

Default severity: High

* Data source: VPC flow logs

This finding informs you that an EMR related sensitive port on the listed EC2
instance that is part of an cluster in your AWS environment is not blocked by a
security group, an access control list (ACL), or an on-host firewall such as
Linux IPTables, and that known scanners on the internet are actively probing it.
Ports that can trigger this finding, such as port 8088 (YARN Web UI port), could
potentially be used for remote code execution.

Remediation recommendations:

You should block open access to ports on clusters from the internet and restrict
access only to specific IP addresses that require access to these ports. For
more information see, Security Groups for EMR Clusters.

RECON:EC2/PORTPROBEUNPROTECTEDPORT

AN EC2 INSTANCE HAS AN UNPROTECTED PORT THAT IS BEING PROBED BY A KNOWN
MALICIOUS HOST.

Default severity: Low*

NOTE

This finding's default severity is Low. However, if the port being probed is
used by (9200 or 9300), the finding's severity is High.

* Data source: VPC flow logs

This finding informs you that a port on the listed EC2 instance in your AWS
environment is not blocked by a security group, access control list (ACL), or an
on-host firewall such as Linux IPTables, and that known scanners on the internet
are actively probing it.

If the identified unprotected port is 22 or 3389 and you are using these ports
to connect to your instance, you can still limit exposure by allowing access to
these ports only to the IP addresses from your corporate network IP address
space. To restrict access to port 22 on Linux, see Authorizing Inbound Traffic
for Your Linux Instances. To restrict access to port 3389 on Windows, see
Authorizing Inbound Traffic for Your Windows Instances.

Remediation recommendations:

There may be cases in which instances are intentionally exposed, for example if
they are hosting web servers. If this is the case in your AWS environment, we
recommend that you set up a suppression rule for this finding. The suppression
rule should consist of two filter criteria. The first criteria should use the
Finding type attribute with a value of Recon:EC2/PortProbeUnprotectedPort. The
second filter criteria should match the instance or instances that serve as a
bastion host. You can use either the Instance image ID attribute or the Tag
value attribute, depending on which criteria is identifiable with the instances
that host these tools. For more information about creating suppression rules see
Suppression rules.

If this activity is unexpected, your instance is likely compromised, see
Remediating a compromised EC2 instance.

RECON:EC2/PORTSCAN

AN EC2 INSTANCE IS PERFORMING OUTBOUND PORT SCANS TO A REMOTE HOST.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that the listed EC2 instance in your AWS environment is
engaged in a possible port scan attack because it is trying to connect to
multiple ports over a short period of time. The purpose of a port scan attack is
to locate open ports to discover which services the machine is running and to
identify its operating system.

Remediation recommendations:

This finding can be a false positive when vulnerability assessment applications
are deployed on EC2 instances in your environment because these applications
conduct port scans to alert you about misconfigured open ports. If this is the
case in your AWS environment, we recommend that you set up a suppression rule
for this finding. The suppression rule should consist of two filter criteria.
The first criteria should use the Finding type attribute with a value of
Recon:EC2/Portscan. The second filter criteria should match the instance or
instances that host these vulnerability assessment tools. You can use either the
Instance image ID attribute or the Tag value attribute depending on which
criteria are identifiable with the instances that host these tools. For more
information about creating suppression rules see Suppression rules.

If this activity is unexpected, your instance is likely compromised, see
Remediating a compromised EC2 instance.

TROJAN:EC2/BLACKHOLETRAFFIC

AN EC2 INSTANCE IS ATTEMPTING TO COMMUNICATE WITH AN IP ADDRESS OF A REMOTE HOST
THAT IS A KNOWN BLACK HOLE.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you the listed EC2 instance in your AWS environment might
be compromised because it is trying to communicate with an IP address of a black
hole (or sink hole). Black holes are places in the network where incoming or
outgoing traffic is silently discarded without informing the source that the
data didn't reach its intended recipient. A black hole IP address specifies a
host machine that is not running or an address to which no host has been
assigned.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/BLACKHOLETRAFFIC!DNS

AN EC2 INSTANCE IS QUERYING A DOMAIN NAME THAT IS BEING REDIRECTED TO A BLACK
HOLE IP ADDRESS.

Default severity: Medium

* Data source: DNS logs

This finding informs you the listed EC2 instance in your AWS environment might
be compromised because it is querying a domain name that is being redirected to
a black hole IP address. Black holes are places in the network where incoming or
outgoing traffic is silently discarded without informing the source that the
data didn't reach its intended recipient.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/DGADOMAINREQUEST.B

AN EC2 INSTANCE IS QUERYING ALGORITHMICALLY GENERATED DOMAINS. SUCH DOMAINS ARE
COMMONLY USED BY MALWARE AND COULD BE AN INDICATION OF A COMPROMISED EC2
INSTANCE.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed EC2 instance in your AWS environment is
trying to query domain generation algorithm (DGA) domains. Your EC2 instance
might be compromised.

DGAs are used to periodically generate a large number of domain names that can
be used as rendezvous points with their command and control (C&C) servers.
Command and control servers are computers that issue commands to members of a
botnet, which is a collection of internet-connected devices that are infected
and controlled by a common type of malware. The large number of potential
rendezvous points makes it difficult to effectively shut down botnets because
infected computers attempt to contact some of these domain names every day to
receive updates or commands.

NOTE

This finding is based on analysis of domain names using advanced heuristics and
may identify new DGA domains that are not present in threat intelligence feeds.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/DGADOMAINREQUEST.C!DNS

AN EC2 INSTANCE IS QUERYING ALGORITHMICALLY GENERATED DOMAINS. SUCH DOMAINS ARE
COMMONLY USED BY MALWARE AND COULD BE AN INDICATION OF A COMPROMISED EC2
INSTANCE.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed EC2 instance in your AWS environment is
trying to query domain generation algorithm (DGA) domains. Your EC2 instance
might be compromised.

NOTE

This finding is based on known DGA domains from GuardDuty's threat intelligence
feeds.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/DNSDATAEXFILTRATION

AN EC2 INSTANCE IS EXFILTRATING DATA THROUGH DNS QUERIES.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed EC2 instance in your AWS environment is
running malware that uses DNS queries for outbound data transfers. This type of
data transfer is indicative of a compromised instance and could result in the
exfiltration of data. DNS traffic is not typically blocked by firewalls. For
example, malware in a compromised EC2 instance can encode data, (such as your
credit card number), into a DNS query and send it to a remote DNS server that is
controlled by an attacker.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/DRIVEBYSOURCETRAFFIC!DNS

AN EC2 INSTANCE IS QUERYING A DOMAIN NAME OF A REMOTE HOST THAT IS A KNOWN
SOURCE OF DRIVE-BY DOWNLOAD ATTACKS.

Default severity: High

* Data source: DNS logs

This finding informs you that the listed EC2 instance in your AWS environment
might be compromised because it is querying a domain name of a remote host that
is a known source of drive-by download attacks. These are unintended downloads
of computer software from the internet that can trigger an automatic
installation of a virus, spyware, or malware.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/DROPPOINT

AN EC2 INSTANCE IS ATTEMPTING TO COMMUNICATE WITH AN IP ADDRESS OF A REMOTE HOST
THAT IS KNOWN TO HOLD CREDENTIALS AND OTHER STOLEN DATA CAPTURED BY MALWARE.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that an EC2 instance in your AWS environment is trying
to communicate with an IP address of a remote host that is known to hold
credentials and other stolen data captured by malware.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/DROPPOINT!DNS

AN EC2 INSTANCE IS QUERYING A DOMAIN NAME OF A REMOTE HOST THAT IS KNOWN TO HOLD
CREDENTIALS AND OTHER STOLEN DATA CAPTURED BY MALWARE.

Default severity: Medium

* Data source: DNS logs

This finding informs you that an EC2 instance in your AWS environment is
querying a domain name of a remote host that is known to hold credentials and
other stolen data captured by malware.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

TROJAN:EC2/PHISHINGDOMAINREQUEST!DNS

AN EC2 INSTANCE IS QUERYING DOMAINS INVOLVED IN PHISHING ATTACKS. YOUR EC2
INSTANCE MIGHT BE COMPROMISED.

Default severity: High

* Data source: DNS logs

This finding informs you that there is an EC2 instance in your AWS environment
that is trying to query a domain involved in phishing attacks. Phishing domains
are set up by someone posing as a legitimate institution in order to induce
individuals to provide sensitive data, such as personally identifiable
information, banking and credit card details, and passwords. Your EC2 instance
may be trying to retrieve sensitive data stored on a phishing website, or it may
be attempting to set up a phishing website. Your EC2 instance might be
compromised.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

UNAUTHORIZEDACCESS:EC2/MALICIOUSIPCALLER.CUSTOM

AN EC2 INSTANCE IS MAKING CONNECTIONS TO AN IP ADDRESS ON A CUSTOM THREAT LIST.

Default severity: Medium

* Data source: VPC flow logs

This finding informs you that an EC2 instance in your AWS environment is
communicating with an IP address included on a threat list that you uploaded. In
GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty
generates findings based on uploaded threat lists. The threat list used to
generate this finding will be listed in the finding's details.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

UNAUTHORIZEDACCESS:EC2/METADATADNSREBIND

AN EC2 INSTANCE IS PERFORMING DNS LOOKUPS THAT RESOLVE TO THE INSTANCE METADATA
SERVICE.

Default severity: High

* Data source: DNS logs

This finding informs you that an EC2 instance in your AWS environment is
querying a domain that resolves to the EC2 metadata IP address
(169.254.169.254). A DNS query of this kind may indicate that the instance is a
target of a DNS rebinding technique. This technique can be used to obtain
metadata from an EC2 instance, including the IAM credentials associated with the
instance.

DNS rebinding involves tricking an application running on the EC2 instance to
load return data from a URL, where the domain name in the URL resolves to the
EC2 metadata IP address (169.254.169.254). This causes the application to access
EC2 metadata and possibly make it available to the attacker.

It is possible to access EC2 metadata using DNS rebinding only if the EC2
instance is running a vulnerable application that allows injection of URLs, or
if someone accesses the URL in a web browser running on the EC2 instance.

Remediation recommendations:

In response to this finding, you should evaluate if there is a vulnerable
application running on the EC2 instance, or if someone used a browser to access
the domain identified in the finding. If the root cause is a vulnerable
application, you should fix the vulnerability. If someone browsed the identified
domain, you should block the domain or prevent users from accessing it. If you
determine this finding was related to either case above, revoke the session
associated with the EC2 instance.

Some AWS customers intentionally map the metadata IP address to a domain name on
their authoritative DNS servers. If this is the case in your environment, we
recommend that you set up a suppression rule for this finding. The suppression
rule should consist of two filter criteria. The first criteria should use the
Finding type attribute with a value of UnauthorizedAccess:EC2/MetaDataDNSRebind.
The second filter criteria should be DNS request domain and the value should
match the domain you have mapped to the metadata IP address (169.254.169.254).
For more information on creating suppression rules see Suppression rules.

UNAUTHORIZEDACCESS:EC2/RDPBRUTEFORCE

AN EC2 INSTANCE HAS BEEN INVOLVED IN RDP BRUTE FORCE ATTACKS.

Default severity: Low*

NOTE

* Data source: VPC flow logs

This finding informs you that an EC2 instance in your AWS environment was
involved in a brute force attack aimed at obtaining passwords to RDP services on
Windows-based systems. This can indicate unauthorized access to your AWS
resources.

Remediation recommendations:

If your instance's Resource Role is ACTOR, this indicates your instance has been
used to perform RDP brute force attacks. Unless this instance has a legitimate
reason to be contacting the IP address listed as the Target, it is recommended
that you assume your instance has been compromised and take the actions listed
in Remediating a compromised EC2 instance.

If your instance's Resource Role is TARGET, this finding can be remediated by
securing your RDP port to only trusted IPs through Security Groups, ACLs, or
firewalls. For more information see Tips for securing your EC2 instances
(Linux).

UNAUTHORIZEDACCESS:EC2/SSHBRUTEFORCE

AN EC2 INSTANCE HAS BEEN INVOLVED IN SSH BRUTE FORCE ATTACKS.

Default severity: Low*

NOTE

This finding's severity is low if a brute force attack is aimed at one of your
EC2 instances. This finding's severity is high if your EC2 instance is being
used to perform the brute force attack.

* Data source: VPC flow logs

This finding informs you that an EC2 instance in your AWS environment was
involved in a brute force attack aimed at obtaining passwords to SSH services on
Linux-based systems. This can indicate unauthorized access to your AWS
resources.

NOTE

This finding is generated only through monitoring traffic on port 22. If your
SSH services are configured to use other ports, this finding is not generated.

Remediation recommendations:

If the target of the brute force attempt is a bastion host, this may represent
expected behavior for your AWS environment. If this is the case, we recommend
that you set up a suppression rule for this finding. The suppression rule should
consist of two filter criteria. The first criteria should use the Finding type
attribute with a value of UnauthorizedAccess:EC2/SSHBruteForce. The second
filter criteria should match the instance or instances that serve as a bastion
host. You can use either the Instance image ID attribute or the Tag value
attribute depending on which criteria is identifiable with the instances that
host these tools. For more information about creating suppression rules see
Suppression rules.

If this activity is not expected for your environment and your instance's
Resource Role is TARGET, this finding can be remediated by securing your SSH
port to only trusted IPs through Security Groups, ACLs, or firewalls. For more
information, see Tips for securing your EC2 instances (Linux).

If your instance's Resource Role is ACTOR, this indicates the instance has been
used to perform SSH brute force attacks. Unless this instance has a legitimate
reason to be contacting the IP address listed as the Target, it is recommended
that you assume your instance has been compromised and take the actions listed
in Remediating a compromised EC2 instance.

UNAUTHORIZEDACCESS:EC2/TORCLIENT

YOUR EC2 INSTANCE IS MAKING CONNECTIONS TO A TOR GUARD OR AN AUTHORITY NODE.

Default severity: High

* Data source: VPC flow logs

This finding informs you that an EC2 instance in your AWS environment is making
connections to a Tor Guard or an Authority node. Tor is software for enabling
anonymous communication. Tor Guards and Authority nodes act as initial gateways
into a Tor network. This traffic can indicate that this EC2 instance has been
compromised and is acting as a client on a Tor network. This finding may
indicate unauthorized access to your AWS resources with the intent of hiding the
attacker's true identity.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

UNAUTHORIZEDACCESS:EC2/TORRELAY

YOUR EC2 INSTANCE IS MAKING CONNECTIONS TO A TOR NETWORK AS A TOR RELAY.

Default severity: High

* Data source: VPC flow logs

This finding informs you that an EC2 instance in your AWS environment is making
connections to a Tor network in a manner that suggests that it's acting as a Tor
relay. Tor is software for enabling anonymous communication. Tor increases
anonymity of communication by forwarding the client's possibly illicit traffic
from one Tor relay to another.

Remediation recommendations:

If this activity is unexpected, your instance may be compromised. For more
information, see Remediating a compromised EC2 instance.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Finding types
EKS Runtime Monitoring finding types
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.

Did this page help you?
Yes
No
Provide feedback
Edit this page on GitHub
Next topic:EKS Runtime Monitoring finding types
Previous topic:Finding types
Need help?
* Connect with an AWS IQ expert

ON THIS PAGE

--------------------------------------------------------------------------------

DID THIS PAGE HELP YOU? - NO

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.

Feedback

docs.aws.amazon.com Open in urlscan Pro 18.66.147.13 Public Scan

Form analysis 0 forms found in the DOM

Text Content

docs.aws.amazon.com Open in urlscan Pro
18.66.147.13 Public Scan

Form analysis
0 forms found in the DOM