Amazon GuardDuty
Amazon Guard Duty User Guide

GuardDuty CryptoCurrency Finding Types

This section covers the active CryptoCurrency threat purpose finding types. For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document History for Amazon GuardDuty.

Important

The default severity value of a finding type is subject to change based on various criteria when the finding is generated.

CryptoCurrency:EC2/BitcoinTool.B!DNS

Default severity: Medium

Finding description

EC2 instance is querying a domain name that is associated with cryptocurrency-related activity.

This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin, or other cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system. Besides being created as a reward for Bitcoin mining, Bitcoin can be exchanged for other currencies, products, and services. Unless you use this EC2 instance to mine or manage cryptocurrency or your EC2 instance is involved in blockchain activity, your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

CryptoCurrency:EC2/BitcoinTool.B

Default severity: High

Finding description

EC2 instance is querying an IP address that is associated with cryptocurrency-related activity.

This finding informs you that an EC2 instance in your AWS environment is querying an IP address that is associated with Bitcoin, or other cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system. Besides being created as a reward for Bitcoin mining, Bitcoin can be exchanged for other currencies, products, and services. Unless you use this EC2 instance to mine or manage cryptocurrency or your EC2 instance is involved in blockchain activity, your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance. For more information, see Remediating a Compromised EC2 Instance.