Findings that invoke GuardDuty-initiated malware scan

A GuardDuty-initiated malware scan gets invoked when GuardDuty detects suspicious behavior indicative of malware on Amazon EC2 instance or container workloads.

Backdoor:EC2/C&CActivity.B
Backdoor:EC2/C&CActivity.B!DNS
Backdoor:EC2/DenialOfService.Dns
Backdoor:EC2/DenialOfService.Tcp
Backdoor:EC2/DenialOfService.Udp
Backdoor:EC2/DenialOfService.UdpOnTcpPorts
Backdoor:EC2/DenialOfService.UnusualProtocol
Backdoor:EC2/Spambot
CryptoCurrency:EC2/BitcoinTool.B
CryptoCurrency:EC2/BitcoinTool.B!DNS
Impact:EC2/AbusedDomainRequest.Reputation
Impact:EC2/BitcoinDomainRequest.Reputation
Impact:EC2/MaliciousDomainRequest.Reputation
Impact:EC2/PortSweep
Impact:EC2/SuspiciousDomainRequest.Reputation
Impact:EC2/WinRMBruteForce (Outbound only)
Recon:EC2/Portscan
Trojan:EC2/BlackholeTraffic
Trojan:EC2/BlackholeTraffic!DNS
Trojan:EC2/DGADomainRequest.B
Trojan:EC2/DGADomainRequest.C!DNS
Trojan:EC2/DNSDataExfiltration
Trojan:EC2/DriveBySourceTraffic!DNS
Trojan:EC2/DropPoint
Trojan:EC2/DropPoint!DNS
Trojan:EC2/PhishingDomainRequest!DNS
UnauthorizedAccess:EC2/RDPBruteForce (Outbound only)
UnauthorizedAccess:EC2/SSHBruteForce (Outbound only)
UnauthorizedAccess:EC2/TorClient
UnauthorizedAccess:EC2/TorRelay
Backdoor:Runtime/C&CActivity.B
Backdoor:Runtime/C&CActivity.B!DNS
CryptoCurrency:Runtime/BitcoinTool.B
CryptoCurrency:Runtime/BitcoinTool.B!DNS
Execution:Runtime/NewBinaryExecuted
Execution:Runtime/NewLibraryLoaded
Execution:Runtime/ReverseShell
Impact:Runtime/AbusedDomainRequest.Reputation
Impact:Runtime/BitcoinDomainRequest.Reputation
Impact:Runtime/CryptoMinerExecuted
Impact:Runtime/MaliciousDomainRequest.Reputation
Impact:Runtime/SuspiciousDomainRequest.Reputation
PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified
PrivilegeEscalation:Runtime/ContainerMountsHostDirectory
PrivilegeEscalation:Runtime/DockerSocketAccessed
PrivilegeEscalation:Runtime/RuncContainerEscape
PrivilegeEscalation:Runtime/UserfaultfdUsage
Trojan:Runtime/BlackholeTraffic
Trojan:Runtime/BlackholeTraffic!DNS
Trojan:Runtime/DropPoint
Trojan:Runtime/DropPoint!DNS
Trojan:Runtime/DGADomainRequest.C!DNS
Trojan:Runtime/DriveBySourceTraffic!DNS
Trojan:Runtime/PhishingDomainRequest!DNS
UnauthorizedAccess:Runtime/MetadataDNSRebind

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configuring GuardDuty-initiated malware scan

On-demand malware scan