Amazon GuardDuty
Amazon Guard Duty User Guide

Amazon GuardDuty Finding Types

Finding Type Format

When GuardDuty detects suspicious or unexpected behavior in your AWS environment, it generates a finding. A finding is a notification that contains the details about a potential security issue that GuardDuty discovers. The finding details include information about what happened, what AWS resources were involved in the suspicious activity, when this activity took place, and other information.

One of the most useful pieces of information in the finding details is a finding type. The purpose of the finding type is to provide a concise yet readable description of the potential security issue. For example, the GuardDuty Recon:EC2/PortProbeUnprotectedPort finding type quickly informs you that somewhere in your AWS environment, an EC2 instance has an unprotected port that a potential attacker is probing.

GuardDuty uses the following format for the various finding types that it generates:

ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.ThreatFamilyVariant!Artifact

This is what each part of the format represents:

  • ThreatPurpose - describes the primary purpose of a threat or a potential attack. In the current release of GuardDuty, ThreatPurpose can have the following values:

    • Backdoor - this value indicates that the attack has compromised an AWS resource and is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.

    • Behavior - this value indicates that GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.

    • Cryptocurrency - this value indicates that GuardDuty is detecting software that is associated with cryptocurrencies (for example, Bitcoin).

    • Pentest - Sometimes owners of AWS resources or their authorized representatives intentionally run tests against AWS applications to find vulnerabilities, like open security groups or access keys that are overly permissive. These pen tests are done in an attempt to identify and lock down vulnerable resources before they are discovered by attackers. However, some of the tools used by authorized pen testers are freely available, and therefore can be used by unauthorized users or attackers to run probing tests. Although GuardDuty can't identify the true purpose behind such activity, the Pentest value indicates that GuardDuty is detecting such activity and that it is similar to the activity generated by known pen testing tools. Therefore, it can be a potential attack.

    • Persistence - this value indicates that an IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this IAM user has no prior history of updating network configuration settings, or updating policies or permissions attached to AWS users or resources.

    • Recon - this value indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.

    • ResourceConsumption - this value indicates that an IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this IAM user has no prior history of launching EC2 instances.

    • Stealth - this value indicates that an attack is actively trying to hide its actions and its tracks. For example, an attack might use an anonymizing proxy server, making it virtually impossible to gauge the true nature of the activity.

    • Trojan - this value indicates that an attack is using Trojan programs that silently carry out malicious activity. Sometimes this software takes on an appearance of a legitimate program. Sometimes users accidentally run this software. Other times this software might run automatically by exploiting a vulnerability.

    • UnauthorizedAccess - this value indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.

  • ResourceTypeAffected - describes which AWS resource is identified in this finding as the potential target of an attack. In this release of GuardDuty, only EC2 instances and IAM users (and their credentials) can be identified as affected resources in GuardDuty findings.

  • ThreatFamilyName - describes the overall threat or potential malicious activity that GuardDuty is detecting. For example, a value of NetworkPortUnusual indicates that an EC2 instance identified in the GuardDuty finding has no prior history of communications on a particular remote port that also is identified in the finding.

  • ThreatFamilyVariant - describes the specific variant of the ThreatFamily that GuardDuty is detecting. Attackers often slightly modify the functionality of the attack, thus creating new variants.

  • Artifact - describes a specific resource that is owned by a tool that is used in the attack. For example, DNS in the finding type CryptoCurrency:EC2/BitcoinTool.B!DNS indicates that an EC2 instance is communicating with a known Bitcoin-related domain.

Complete List of GuardDuty Active Finding Types

The following are various finding types that GuardDuty generates:

Backdoor:EC2/XORDDOS

Finding description

An EC2 instance is attempting to communicate with an IP address that is associated with XorDDos malware.

This finding informs you that an EC2 instance in your AWS environment is attempting to communicate with an IP address that is associated with XorDDos malware. This EC2 instance might be compromised. XOR DDoS is Trojan malware that hijacks Linux systems. To gain access to the system, it launches a brute force attack in order to discover the password to Secure Shell (SSH) services on Linux. After SSH credentials are acquired and the login is successful, it uses root privileges to run a script that downloads and installs XOR DDoS. This malware is then used as part of a botnet to launch distributed denial of service (DDoS) attacks against other targets. For more information, see Remediating a Compromised EC2 Instance.

Backdoor:EC2/Spambot

Finding description

EC2 instance is exhibiting unusual behavior by communicating with a remote host on port 25.

This finding informs you that an EC2 instance in your AWS environment is communicating with a remote host on port 25. This behavior is unusual because this EC2 instance has no prior history of communications on port 25. Port 25 is traditionally used by mail servers for SMTP communications. Your EC2 instance might be compromised and sending out spam. For more information, see Remediating a Compromised EC2 Instance.

Backdoor:EC2/C&CActivity.B!DNS

Finding description

EC2 instance is querying a domain name that is associated with a known command and control server.

This finding informs you that there is an EC2 instance in your AWS environment that is querying a domain name associated with a known command and control (C&C) server. Your EC2 instance might be compromised. C&C servers are computers that issue commands to members of a botnet. A botnet is a collection of internet-connected devices (which might include PCs, servers, mobile devices, and internet of things devices) that are infected and controlled by a common type of malware. Botnets are often used to distribute malware and gather misappropriated information, such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to begin a distributed denial of service (DDoS) attack. For more information, see Remediating a Compromised EC2 Instance.

Note

To test how GuardDuty's generates this finding type you can make a DNS request against a test domain guarddutyc2activityb.com.

Behavior:EC2/NetworkPortUnusual

Finding description

EC2 instance is communicating with a remote host on an unusual server port.

This finding informs you that an EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of communications on this remote port. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

Behavior:EC2/TrafficVolumeUnusual

Finding description

EC2 instance is generating unusually large amounts of network traffic to a remote host.

This finding informs you that an EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of sending this much traffic to this remote host. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

CryptoCurrency:EC2/BitcoinTool.B!DNS

Finding description

EC2 instance is querying a domain name that is associated with Bitcoin-related activity.

This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you use this EC2 instance to mine or manage cryptocurrency or your EC2 instance is involved in blockchain activity, your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

PenTest:IAMUser/KaliLinux

Finding description

An API was invoked from a Kali Linux EC2 instance.

This finding informs you that a machine running Kali Linux is making API calls using credentials that belong to your AWS account. Your credentials might be compromised. Kali Linux is a popular penetration testing tool used by security professionals to identify weaknesses in EC2 instances that require patching. This tool is also used by attackers to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. For more information, see Remediating Compromised AWS Credentials.

Persistence:IAMUser/NetworkPermissions

Finding description

An IAM user invoked an API commonly used to change the network access permissions for security groups, routes, and ACLs in your AWS account.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when network configuration settings are changed under suspicious circumstances. For example, if an IAM user in your AWS environment with no prior history of doing so, invoked the CreateSecurityGroup API. Attackers often attempt to change security groups, allowing certain inbound traffic on various ports in order to improve their ability to access the bot they might have planted on your EC2 instance.

Persistence:IAMUser/ResourcePermissions

Finding description

An IAM user invoked an API commonly used to change the security access policies of various resources in your AWS account.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when a change is detected to policies or permissions attached to AWS resources. For example, if an IAM user in your AWS environment with no prior history of doing so, invoked the PutBucketPolicy API. Some services, for example, Amazon S3, support resource-attached permissions that grant one or more IAM principals access to the resource. With stolen credentials, attackers can change the policies attached to a resource, granting themselves future access to that resource.

Persistence:IAMUser/UserPermissions

Finding description

An IAM user invoked an API commonly used to add, modify, or delete IAM users, groups or policies in your AWS account.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered by suspicious changes to the user-related permissions in your AWS environment. For example, if an IAM user in your AWS environment with no prior history of doing so, invoked the AttachUserPolicy API. In an effort to maximize their ability to access the account even after they have been discovered, attackers can use stolen credentials to create new users, add access policies to existing users, create access keys, etc. The owner of the account might notice that a particular IAM user or password was stolen and delete it from the account, but might not delete other users that were created by the fraudulently created admin IAM user, leaving their AWS account still accessible to the attacker.

Recon:EC2/PortProbeUnprotectedPort

Finding description

EC2 instance has an unprotected port that is being probed by a known malicious host.

This finding informs you that a port on an EC2 instance in your AWS environment is not blocked by a security group, access control list (ACL), or an on-host firewall (for example, Linux IPChains), and known scanners on the internet are actively probing it. If the identified unprotected port is 22 or 3389 and you often connect to this EC2 instance by using SSH/RDP and therefore can't block access to either of these ports, you can still limit exposure by allowing access to these ports only to the IP addresses from your corporate network IP address space. To restrict access to port 22 on Linux, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html. To restrict access to port 3389 on Windows, see http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/authorizing-access-to-an-instance.html.

For more information, see Remediating a Compromised EC2 Instance.

Recon:IAMUser/TorIPCaller

Finding description

An API was invoked from a Tor exit node IP address.

This finding informs you that an API operation that can list or describe your AWS resources was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can be a reconnaissance attack: an anonymous user trying to gather information or gain access to your AWS resources for malicious purposes. For more information, see Remediating Compromised AWS Credentials.

Recon:IAMUser/MaliciousIPCaller.Custom

Finding description

An API was invoked from an IP address on a custom threat list.

This finding informs you that an API operation that can list or describe your AWS resources was invoked from an IP address that is included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on uploaded threat lists. This can be a reconnaissance attack: an anonymous user trying to gather information or gain access to your AWS resources for malicious purposes. For more information, see Remediating Compromised AWS Credentials.

Recon:IAMUser/MaliciousIPCaller

Finding description

An API was invoked from a known malicious IP address.

This finding informs you that an API operation that can list or describe your AWS resources was invoked from an IP address that is included on a threat list. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on the custom or internal threat lists. This can be a reconnaissance attack: an anonymous user trying to gather information or gain access to your AWS resources for malicious purposes. For more information, see Remediating Compromised AWS Credentials.

Recon:EC2/Portscan

Finding description

EC2 instance is performing outbound port scans to a remote host.

This finding informs you that there is an EC2 instance in your AWS environment that is engaged in a possible port scan attack because it is trying to connect to multiple ports over a short period of time. The purpose of a port scan attack is to locate open ports to discover what services the machine is running and to identify its operating system. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

Recon:IAMUser/NetworkPermissions

Finding description

An IAM user invoked an API commonly used to discover the network access permissions of existing security groups, ACLs, and routes in your AWS account.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when network configuration settings in your AWS environment are probed under suspicious circumstances. For example, if an IAM user in your AWS environment with no prior history of doing so, invoked the DescribeSecurityGroups API. An attacker might use stolen credentials to perform this reconnaissance of network configuration settings before executing the next stage of their attack by changing network permissions or making use of existing openings in the network configuration.

Recon:IAMUser/ResourcePermissions

Finding description

An IAM user invoked an API commonly used to discover the permissions associated with various resources in your AWS account.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when resource access permissions in your AWS account are probed under suspicious circumstances. For example, if an IAM user with no prior history of doing so, invoked the DescribeInstances API. An attacker might use stolen credentials to perform this reconnaissance of your AWS resources in order to find valuable information or determine the capabilities of the credentials they already have.

Recon:IAMUser/UserPermissions

Finding description

An IAM user invoked an API commonly used to discover the users, groups, policies and permissions in your AWS account.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when user permissions in your AWS environment are probed under suspicious circumstances. For example, if an IAM user with no prior history of doing so, invoked the ListInstanceProfilesForRole API. An attacker might use stolen credentials to perform this reconnaissance of your IAM users and roles in order to determine the capabilities of the credentials they already have or to find more permissive credentials that are vulnerable to lateral movement.

ResourceConsumption:IAMUser/ComputeResources

Finding description

An IAM user invoked an API commonly used to launch compute resources like EC2 Instances.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when EC2 instances in your AWS environment are launched under suspicious circumstances. For example, if an IAM user with no prior history of doing so, invoked the RunInstances API. This might be an indication of an attacker using stolen credentials to steal compute time (possibly for cryptocurrency mining or password cracking). It can also be an indication of an attacker using an EC2 instance in your AWS environment and its credentials to maintain access to your account.

Stealth:IAMUser/PasswordPolicyChange

Finding description

Account password policy was weakened.

Your AWS account password policy was weakened. For example, it was deleted or updated to require fewer characters, not require symbols and numbers, or required to extend the password expiration period. This finding can also be triggered by an attempt to update or delete your AWS account password policy. The AWS account password policy defines the rules that govern what kinds of passwords can be set for your IAM users. A weaker password policy permits the creation of passwords that are easy to remember and potentially easier to guess, thereby creating a security risk. For more information, see Remediating Compromised AWS Credentials.

Stealth:IAMUser/CloudTrailLoggingDisabled

Finding description

AWS CloudTrail trail was disabled.

This finding informs you that a CloudTrail trail within your AWS environment was disabled. This can be an attacker's attempt to disable logging to cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes. This finding can be triggered by a successful deletion or update of a trail. This finding can also be triggered by a successful deletion of an S3 bucket that stores the logs from a trail that is associated with GuardDuty. For more information, see Remediating Compromised AWS Credentials.

Stealth:IAMUser/LoggingConfigurationModified

Finding description

An IAM user invoked an API commonly used to stop CloudTrail logging, delete existing logs, and otherwise eliminate traces of activity in your AWS account.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of invoking this API. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when the logging configuration in your AWS account is modified under suspicious circumstances. For example, if an IAM user with no prior history of doing so, invoked the StopLogging API. This can be an indication of an attacker trying to cover their tracks by eliminating any trace of their activity.

Trojan:EC2/BlackholeTraffic

Finding description

EC2 instance is attempting to communicate with an IP address of a remote host that is a known black hole.

This finding informs you that an EC2 instance in your AWS environment might be compromised because it is trying to communicate with an IP address of a black hole (or sink hole). Black holes refer to places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn't reach its intended recipient. A black hole IP address specifies a host machine that is not running or an address to which no host has been assigned. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/DropPoint

Finding description

An EC2 instance is attempting to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware.

This finding informs you that an EC2 instance in your AWS environment is trying communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/BlackholeTraffic!DNS

Finding description

EC2 instance is querying a domain name that is being redirected to a black hole IP address.

This finding informs you that an EC2 instance in your AWS environment might be compromised because it is querying a domain name that is being redirected to a black hole IP address. Black holes refer to places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn't reach its intended recipient. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/DriveBySourceTraffic!DNS

Finding description

EC2 instance is querying a domain name of a remote host that is a known source of Drive-By download attacks.

This finding informs you that an EC2 instance in your AWS environment might be compromised because it is querying a domain name of a remote host that is a known source of Drive-By download attacks. These are unintended downloads of computer software from the internet that can trigger an automatic install of a virus, spyware, or malware. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/DropPoint!DNS

Finding description

An EC2 instance is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware.

This finding informs you that an EC2 instance in your AWS environment is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/DGADomainRequest.B

Finding description

EC2 instance is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance.

This finding informs you that there is an EC2 instance in your AWS environment that is trying to query domain generation algorithms (DGA) domains. Your EC2 instance might be compromised.

Note

This finding is based on analysis of domain names using advanced heuristics, and hence may identify new DGA domains that are not present in Threat Intelligence feeds.

DGAs are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control (C&C) servers. C&C servers are computers that issue commands to members of a botnet, which is a collection of internet-connected devices that are infected and controlled by a common type of malware. The large number of potential rendezvous points makes it difficult to effectively shut down botnets because infected computers attempt to contact some of these domain names every day to receive updates or commands. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/DGADomainRequest.C!DNS

Finding description

EC2 instance is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance.

This finding informs you that there is an EC2 instance in your AWS environment that is trying to query domain generation algorithms (DGA) domains. Your EC2 instance might be compromised.

Note

This finding is based on "known" DGA domains from GuardDuty's threat intelligence feeds.

DGAs are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control (C&C) servers. C&C servers are computers that issue commands to members of a botnet, which is a collection of internet-connected devices that are infected and controlled by a common type of malware. The large number of potential rendezvous points makes it difficult to effectively shut down botnets because infected computers attempt to contact some of these domain names every day to receive updates or commands. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/DNSDataExfiltration

Finding description

EC2 instance is exfiltrating data through DNS queries.

This finding informs you that there is an EC2 instance in your AWS environment with malware that uses DNS queries for outbound data transfers. The result is the exfiltration of data. Your EC2 instance might be compromised. DNS traffic is not typically blocked by firewalls. For example, malware in a compromised EC2 instance can encode data, (such as your credit card number), into a DNS query and send it to a remote DNS server that is controlled by an attacker. For more information, see Remediating a Compromised EC2 Instance.

Trojan:EC2/PhishingDomainRequest!DNS

Finding description

EC2 instance is querying domains involved in phishing attacks. Your EC2 instance might be compromised.

This finding informs you that there is an EC2 instance in your AWS environment that is trying to query a domain involved in phishing attacks. Phishing domains are set up by someone posing as a legitimate institution in order to induce individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. Your EC2 instance is potentially trying to retrieve sensitive data stored on a phishing website. Or your EC2 instance is attempting to setup a phishing website. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

UnauthorizedAccess:IAMUser/TorIPCaller

Finding description

An API was invoked from a Tor exit node IP address.

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your AWS privileges) was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker’s true identity. For more information, see Remediating Compromised AWS Credentials.

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

Finding description

An API was invoked from an IP address on a custom threat list.

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, and so on) was invoked from an IP address that is included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on uploaded threat lists. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker’s true identity. For more information, see Remediating Compromised AWS Credentials.

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

Finding description

Multiple worldwide successful console logins were observed.

This finding informs you that multiple successful console logins for the same IAM user were observed around the same time in various geographical locations. Such anomalous and risky access location pattern indicates potential unauthorized access to your AWS resources. For more information, see Remediating Compromised AWS Credentials.

Note

This finding is only triggered by the activity of the following IAM identities: root, IAM users, and federated users. This finding is NOT triggered by the activity of an assumed role. For more information about IAM identities, see CloudTrail userIdentity Element.

UnauthorizedAccess:IAMUser/MaliciousIPCaller

Finding description

An API was invoked from a known malicious IP address.

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, and so on) was invoked from a known malicious IP address. This can indicate unauthorized access to your AWS resources. For more information, see Remediating Compromised AWS Credentials.

UnauthorizedAccess:IAMUser/UnusualASNCaller

Finding description

An API was invoked from an IP address of an unusual network.

This finding informs you that certain activity was invoked from an IP address of an unusual network. This network was never observed throughout the AWS usage history of the described user. This activity can include a console login, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, etc. This can indicate unauthorized access to your AWS resources. For more information, see Remediating Compromised AWS Credentials.

UnauthorizedAccess:EC2/TorIPCaller

Finding description

EC2 instance is receiving inbound connections from a Tor exit node.

This finding informs you that an EC2 instance in your AWS environment is receiving inbound connections from a Tor exit node. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker’s true identity. For more information, see Remediating a Compromised EC2 Instance.

UnauthorizedAccess:EC2/MaliciousIPCaller.Custom

Finding description

EC2 instance is communicating outbound with a IP address on a custom threat list.

This finding informs you that an EC2 instance in your AWS environment is communicating outbound using the TCP protocol with an IP address included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on uploaded threat lists. This can indicate unauthorized access to your AWS resources. For more information, see Remediating a Compromised EC2 Instance.

UnauthorizedAccess:EC2/SSHBruteForce

Finding description

EC2 instance has been involved in SSH brute force attacks.

This finding informs you that an EC2 instance in your AWS environment was involved in a brute force attack aimed at obtaining passwords to SSH services on Linux-based systems. This can indicate unauthorized access to your AWS resources.

Note

This finding is generated only through GuardDuty monitoring traffic on port 22. If your SSH services are configured to use other ports, this finding is not generated.

For more information, see Remediating a Compromised EC2 Instance.

UnauthorizedAccess:EC2/RDPBruteForce

Finding description

EC2 instance has been involved in RDP brute force attacks.

This finding informs you that an EC2 instance in your AWS environment was involved in a brute force attack aimed at obtaining passwords to RDP services on Windows-based systems. This can indicate unauthorized access to your AWS resources. For more information, see Remediating a Compromised EC2 Instance.

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration

Finding description

Credentials that were created exclusively for an EC2 instance through an instance launch role are being used from an external IP address.

This finding informs you of attempts to run AWS API operations from a host outside of EC2, using temporary AWS credentials that were created on an EC2 instance in your AWS account. Your EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS. AWS does not recommend redistributing temporary credentials outside of the entity that created them (for example, AWS applications, EC2, or Lambda). However, authorized users can export credentials from their EC2 instances to make legitimate API calls. To rule out a potential attack and verify the legitimacy of the activity, contact the IAM user to whom these credentials are assigned. For more information, see Remediating Compromised AWS Credentials.

This finding is commonly triggered in AWS Direct Connect scenarios where all traffic from EC2 instances is routed into your on-premises network and out your own firewall, thus appearing to originate from an IP address that is external to EC2. If it's common practice in your AWS production environment to exfiltrate temporary AWS credentials created on EC2 instances, you can whitelist this finding by adding the IP address listed in the service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 field in the finding's JSON to your active trusted IP list. (You can view the finding's complete JSON, by selecting the finding in the console, and then choosing Actions/Export, or by running the GetFindings API operation). A GuardDuty trusted IP list consists of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. For more information, see Working with Trusted IP Lists and Threat Lists

UnauthorizedAccess:IAMUser/ConsoleLogin

Finding description

An unusual console login by an IAM user in your AWS account was observed.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of login activity using this client application from this specific location. Your IAM user credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when a console login is detected under suspicious circumstances. For example, if an IAM user with no prior history of doing so, invoked the ConsoleLogin API from a never-before-used client or an unusual location. This could be an indication of stolen credentials being used to gain access to your AWS account, or a valid user accessing the account in an invalid or less secure manner (for example, not over an approved VPN).

Complete List of GuardDuty Retired Finding Types

The following are finding types that have been retired (no longer generated) in GuardDuty:

Important

You cannot reactivate retired GuardDuty findings types.

Behavior:IAMUser/InstanceLaunchUnusual

Finding description

An IAM user launched an EC2 instance of an unusual type.

This finding informs you that a specific IAM user in your AWS environment is exhibiting behavior that is different from the established baseline. This IAM user has no prior history of launching an EC2 instance of this type. Your IAM user credentials might be compromised. For more information, see Remediating Compromised AWS Credentials

CryptoCurrency:EC2/BitcoinTool.A

Finding description

EC2 instance is communicating with Bitcoin mining pools.

This finding informs you that an EC2 instance in your AWS environment is communicating with Bitcoin mining pools. In the field of cryptocurrency mining, a mining pool is the pooling of resources by miners who share their processing power over a network to split the reward according to the amount of work they contributed to solving a block. Unless you use this EC2 instance for Bitcoin mining, your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.