# GuardDuty finding types Finding types A finding is a notification that GuardDuty generates when it detects an indication of a suspicious or malicious activity in your AWS account. GuardDuty generates a finding in an account that has enabled GuardDuty. For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see [Document history for Amazon GuardDuty](doc-history.md). For information about finding types which are now retired, see [Retired finding types](guardduty_finding-types-retired.md). # GuardDuty EC2 finding types EC2 finding typesUpdated the finding types to help identify issues related to log4j Amazon GuardDuty has updated the following finding types to help identify and prioritize issues related to CVE-2021-44228 and CVE-2021-45046: Backdoor:EC2/C&CActivity.B; Backdoor:EC2/C&CActivity.B\$1DNS; Behavior:EC2/NetworkPortUnusual. The following findings are specific to Amazon EC2 resources and always have a Resource Type of `Instance`. The severity and details of the findings differ based on the Resource Role, which indicates whether the EC2 resource was the target of suspicious activity or the actor performing the activity. The findings listed here include the data sources and models used to generate that finding type. For more information data sources and models see [GuardDuty foundational data sources](guardduty_data-sources.md). **Notes** EC2 finding instance details may be missing if the instance was already terminated, or if the underlying API call originated from an EC2 instance in a different Region. EC2 findings that use VPC flow logs as a data source do not support IPv6 traffic. For all EC2 findings, it is recommended that you examine the resource in question to determine if it is behaving in an expected manner. If the activity is authorized, you can use Suppression Rules or Trusted IP lists to prevent false positive notifications for that resource. If the activity is unexpected, the security best practice is to assume the instance has been compromised and take the actions detailed in [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). **Topics** + [ ## Backdoor:EC2/C&CActivity.B ](#backdoor-ec2-ccactivityb) + [ ## Backdoor:EC2/C&CActivity.B\$1DNS ](#backdoor-ec2-ccactivitybdns) + [ ## Backdoor:EC2/DenialOfService.Dns ](#backdoor-ec2-denialofservicedns) + [ ## Backdoor:EC2/DenialOfService.Tcp ](#backdoor-ec2-denialofservicetcp) + [ ## Backdoor:EC2/DenialOfService.Udp ](#backdoor-ec2-denialofserviceudp) + [ ## Backdoor:EC2/DenialOfService.UdpOnTcpPorts ](#backdoor-ec2-denialofserviceudpontcpports) + [ ## Backdoor:EC2/DenialOfService.UnusualProtocol ](#backdoor-ec2-denialofserviceunusualprotocol) + [ ## Backdoor:EC2/Spambot ](#backdoor-ec2-spambot) + [ ## Behavior:EC2/NetworkPortUnusual ](#behavior-ec2-networkportunusual) + [ ## Behavior:EC2/TrafficVolumeUnusual ](#behavior-ec2-trafficvolumeunusual) + [ ## CryptoCurrency:EC2/BitcoinTool.B ](#cryptocurrency-ec2-bitcointoolb) + [ ## CryptoCurrency:EC2/BitcoinTool.B\$1DNS ](#cryptocurrency-ec2-bitcointoolbdns) + [ ## DefenseEvasion:EC2/UnusualDNSResolver ](#defenseevasion-ec2-unusualdnsresolver) + [ ## DefenseEvasion:EC2/UnusualDoHActivity ](#defenseevasion-ec2-unsualdohactivity) + [ ## DefenseEvasion:EC2/UnusualDoTActivity ](#defenseevasion-ec2-unusualdotactivity) + [ ## Impact:EC2/AbusedDomainRequest.Reputation ](#impact-ec2-abuseddomainrequestreputation) + [ ## Impact:EC2/BitcoinDomainRequest.Reputation ](#impact-ec2-bitcoindomainrequestreputation) + [ ## Impact:EC2/MaliciousDomainRequest.Reputation ](#impact-ec2-maliciousdomainrequestreputation) + [ ## Impact:EC2/MaliciousDomainRequest.Custom ](#impact-ec2-maliciousdomainrequest-custom) + [ ## Impact:EC2/PortSweep ](#impact-ec2-portsweep) + [ ## Impact:EC2/SuspiciousDomainRequest.Reputation ](#impact-ec2-suspiciousdomainrequestreputation) + [ ## Impact:EC2/WinRMBruteForce ](#impact-ec2-winrmbruteforce) + [ ## Recon:EC2/PortProbeEMRUnprotectedPort ](#recon-ec2-portprobeemrunprotectedport) + [ ## Recon:EC2/PortProbeUnprotectedPort ](#recon-ec2-portprobeunprotectedport) + [ ## Recon:EC2/Portscan ](#recon-ec2-portscan) + [ ## Trojan:EC2/BlackholeTraffic ](#trojan-ec2-blackholetraffic) + [ ## Trojan:EC2/BlackholeTraffic\$1DNS ](#trojan-ec2-blackholetrafficdns) + [ ## Trojan:EC2/DGADomainRequest.B ](#trojan-ec2-dgadomainrequestb) + [ ## Trojan:EC2/DGADomainRequest.C\$1DNS ](#trojan-ec2-dgadomainrequestcdns) + [ ## Trojan:EC2/DNSDataExfiltration ](#trojan-ec2-dnsdataexfiltration) + [ ## Trojan:EC2/DriveBySourceTraffic\$1DNS ](#trojan-ec2-drivebysourcetrafficdns) + [ ## Trojan:EC2/DropPoint ](#trojan-ec2-droppoint) + [ ## Trojan:EC2/DropPoint\$1DNS ](#trojan-ec2-droppointdns) + [ ## Trojan:EC2/PhishingDomainRequest\$1DNS ](#trojan-ec2-phishingdomainrequestdns) + [ ## UnauthorizedAccess:EC2/MaliciousIPCaller.Custom ](#unauthorizedaccess-ec2-maliciousipcallercustom) + [ ## UnauthorizedAccess:EC2/MetadataDNSRebind ](#unauthorizedaccess-ec2-metadatadnsrebind) + [ ## UnauthorizedAccess:EC2/RDPBruteForce ](#unauthorizedaccess-ec2-rdpbruteforce) + [ ## UnauthorizedAccess:EC2/SSHBruteForce ](#unauthorizedaccess-ec2-sshbruteforce) + [ ## UnauthorizedAccess:EC2/TorClient ](#unauthorizedaccess-ec2-torclient) + [ ## UnauthorizedAccess:EC2/TorRelay ](#unauthorizedaccess-ec2-torrelay) ## Backdoor:EC2/C&CActivity.B ### An EC2 instance is querying an IP that is associated with a known command and control server. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that the listed instance within your AWS environment is querying an IP associated with a known command and control (C&C) server. The listed instance might be compromised. Command and control servers are computers that issue commands to members of a botnet. A botnet is a collection of internet-connected devices which might include PCs, servers, mobile devices, and Internet of Things devices, that are infected and controlled by a common type of malware. Botnets are often used to distribute malware and gather misappropriated information, such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to begin a distributed denial of service (DDoS) attack. **Note** If the IP queried is log4j-related, then fields of the associated finding will include the following values: service.additionalInfo.threatListName = Amazon service.additionalInfo.threatName = Log4j Related **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/C&CActivity.B\$1DNS ### An EC2 instance is querying a domain name that is associated with a known command and control server. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed instance within your AWS environment is querying a domain name associated with a known command and control (C&C) server. The listed instance might be compromised. Command and control servers are computers that issue commands to members of a botnet. A botnet is a collection of internet-connected devices which might include PCs, servers, mobile devices, and Internet of Things devices, that are infected and controlled by a common type of malware. Botnets are often used to distribute malware and gather misappropriated information, such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to begin a distributed denial of service (DDoS) attack. **Note** If the domain name queried is log4j-related, then the fields of the associated finding will include the following values: service.additionalInfo.threatListName = Amazon service.additionalInfo.threatName = Log4j Related **Note** To test how GuardDuty generates this finding type, you can make a DNS request from your instance (using `dig` for Linux or `nslookup` for Windows) against a test domain `guarddutyc2activityb.com`. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/DenialOfService.Dns ### An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the DNS protocol. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance within your AWS environment is generating a large volume of outbound DNS traffic. This may indicate that the listed instance is compromised and being used to perform denial-of-service (DoS) attacks using DNS protocol. **Note** This finding detects DoS attacks only against publicly routable IP addresses, which are primary targets of DoS attacks. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/DenialOfService.Tcp ### An EC2 instance is behaving in a manner indicating it is being used to perform a Denial of Service (DoS) attack using the TCP protocol. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance within your AWS environment is generating a large volume of outbound TCP traffic. This may indicate that the instance is compromised and being used to perform denial-of-service (DoS) attacks using TCP protocol. **Note** This finding detects DoS attacks only against publicly routable IP addresses, which are primary targets of DoS attacks. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/DenialOfService.Udp ### An EC2 instance is behaving in a manner indicating it is being used to perform a Denial of Service (DoS) attack using the UDP protocol. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance within your AWS environment is generating a large volume of outbound UDP traffic. This may indicate that the listed instance is compromised and being used to perform denial-of-service (DoS) attacks using UDP protocol. **Note** This finding detects DoS attacks only against publicly routable IP addresses, which are primary targets of DoS attacks. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/DenialOfService.UdpOnTcpPorts ### An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the UDP protocol on a TCP port. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance within your AWS environment is generating a large volume of outbound UDP traffic targeted to a port that is typically used for TCP communication. This may indicate that the listed instance is compromised and being used to perform a denial-of-service (DoS) attacks using UDP protocol on a TCP port. **Note** This finding detects DoS attacks only against publicly routable IP addresses, which are primary targets of DoS attacks. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/DenialOfService.UnusualProtocol ### An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using an unusual protocol. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is generating a large volume of outbound traffic from an unusual protocol type that is not typically used by EC2 instances, such as Internet Group Management Protocol. This may indicate that the instance is compromised and is being used to perform denial-of-service (DoS) attacks using an unusual protocol. This finding detects DoS attacks only against publicly routable IP addresses, which are primary targets of DoS attacks. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/Spambot ### An EC2 instance is exhibiting unusual behavior by communicating with a remote host on port 25. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is communicating with a remote host on port 25. This behavior is unusual because this EC2 instance has no prior history of communications on port 25. Port 25 is traditionally used by mail servers for SMTP communications. This finding indicates your EC2 instance might be compromised for use in sending out spam. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Behavior:EC2/NetworkPortUnusual ### An EC2 instance is communicating with a remote host on an unusual server port. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of communications on this remote port. **Note** If the EC2 instance communicated on port 389 or port 1389, then the associated finding severity will be modified to High, and the finding fields will include the following value: service.additionalInfo.context = Possible log4j callback **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Behavior:EC2/TrafficVolumeUnusual ### An EC2 instance is generating unusually large amounts of network traffic to a remote host. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of sending this much traffic to this remote host. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## CryptoCurrency:EC2/BitcoinTool.B ### An EC2 instance is querying an IP address that is associated with cryptocurrency-related activity. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is querying an IP Address that is associated with Bitcoin or other cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system that can be exchanged for other currencies, products, and services. Bitcoin is a reward for bitcoin-mining and is highly sought after by threat actors. **Remediation recommendations:** If you use this EC2 instance to mine or manage cryptocurrency, or this instance is otherwise involved in blockchain activity, this finding could be expected activity for your environment. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criteria should use the **Finding type** attribute with a value of `CryptoCurrency:EC2/BitcoinTool.B`. The second filter criteria should be the **Instance ID** of the instance involved in blockchain activity. To learn more about creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). If this activity is unexpected, your instance is likely compromised, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## CryptoCurrency:EC2/BitcoinTool.B\$1DNS ### An EC2 instance is querying a domain name that is associated with cryptocurrency-related activity. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin or other cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system that can be exchanged for other currencies, products, and services. Bitcoin is a reward for bitcoin-mining and is highly sought after by threat actors. **Remediation recommendations:** If you use this EC2 instance to mine or manage cryptocurrency, or this instance is otherwise involved in blockchain activity, this finding could be expected activity for your environment. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criteria should use the **Finding type** attribute with a value of `CryptoCurrency:EC2/BitcoinTool.B!DNS`. The second filter criteria should be the **Instance ID** of the instance involved in blockchain activity. To learn more about creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). If this activity is unexpected, your instance is likely compromised, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## DefenseEvasion:EC2/UnusualDNSResolver ### An Amazon EC2 instance is communicating with an unusual public DNS resolver. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that the listed Amazon EC2 instance in your AWS environment is behaving in a way that deviates from the baseline behavior. This EC2 instance has no recent history of communicating with this public DNS resolver. The **Unusual** field in the finding details panel in the GuardDuty console can provide information about the queried DNS resolver. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## DefenseEvasion:EC2/UnusualDoHActivity ### An Amazon EC2 instance is performing an unusual DNS over HTTPS (DoH) communication. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that the listed Amazon EC2 instance within your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance doesn't have any recent history of DNS over HTTPS (DoH) communications with this public DoH server. The **Unusual** field in the finding details can provide information about the queried DoH server. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## DefenseEvasion:EC2/UnusualDoTActivity ### An Amazon EC2 instance is performing an unusual DNS over TLS (DoT) communication. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance doesn't have any recent history of DNS over TLS (DoT) communications with this public DoT server. The **Unusual** field in the finding details panel can provide information about the queried DoT server. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Impact:EC2/AbusedDomainRequest.Reputation ### An EC2 instance is querying a low reputation domain name that is associated with known abused domains. **Default severity: Medium** + **Data source: **DNS logs This finding informs you that the listed Amazon EC2 instance within your AWS environment is querying a low reputation domain name associated with known abused domains or IP addresses. Examples of abused domains are top level domain names (TLDs) and second-level domain names (2LDs) providing free subdomain registrations as well as dynamic DNS providers. Threat actors tend to use these services to register domains for free or at low costs. Low reputation domains in this category may also be expired domains resolving to a registrar's parking IP address and therefore may no longer be active. A parking IP is where a registrar directs traffic for domains that have not been linked to any service. The listed Amazon EC2 instance may be compromised as threat actors commonly use these registrar's or services for C&C and malware distribution. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Impact:EC2/BitcoinDomainRequest.Reputation ### An EC2 instance is querying a low reputation domain name that is associated with cryptocurrency-related activity. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed Amazon EC2 instance within your AWS environment is querying a low reputation domain name associated with Bitcoin or other cryptocurrency-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system that can be exchanged for other currencies, products, and services. Bitcoin is a reward for bitcoin-mining and is highly sought after by threat actors. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. **Remediation recommendations:** If you use this EC2 instance to mine or manage cryptocurrency, or this instance is otherwise involved in blockchain activity, this finding could represent expected activity for your environment. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criteria should use the **Finding type** attribute with a value of `Impact:EC2/BitcoinDomainRequest.Reputation`. The second filter criteria should be the **Instance ID** of the instance involved in blockchain activity. To learn more about creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). If this activity is unexpected, your instance is likely compromised, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Impact:EC2/MaliciousDomainRequest.Reputation ### An EC2 instance is querying a low reputation domain that is associated with known malicious domains. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed Amazon EC2 instance within your AWS environment is querying a low reputation domain name associated with known malicious domains or IP addresses. For example, domains may be associated with a known sinkhole IP address. Sinkholed domains are domains that were previously controlled by a threat actor, and requests made to them can indicate the instance is compromised. These domains may also be correlated with known malicious campaigns or domain generation algorithms. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Impact:EC2/MaliciousDomainRequest.Custom ### An EC2 instance is querying a domain on a custom threat entity list. **Default severity: Medium** + **Data source: **DNS logs This finding informs you that the listed Amazon EC2 instance within your AWS environment is querying a domain name that is included in threat entity list that you uploaded and activated. In GuardDuty, a threat entity list consists of known malicious domain names and IP addresses. GuardDuty generates findings based on the activity associated with the uploaded threat entity list. You can view name of the threat entity list in the finding details. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Impact:EC2/PortSweep ### An EC2 instance is probing a port on a large number of IP addresses. **Default severity: High** + **Data source: **VPC flow logs This finding informs you the listed EC2 instance in your AWS environment is probing a port on a large number of publicly routable IP addresses. This type of activity is typically used to find vulnerable hosts to exploit. In the finding details panel in your GuardDuty console, only the most recent remote IP address gets displayed **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Impact:EC2/SuspiciousDomainRequest.Reputation ### An EC2 instance is querying a low reputation domain name that is suspicious in nature due to its age, or low popularity. **Default severity: Low** + **Data source: **DNS logs This finding informs you that the listed Amazon EC2 instance within your AWS environment is querying a low reputation domain name that is suspected of being malicious. noticed characteristics of this domain that were consistent with previously observed malicious domains, however, our reputation model was unable to definitively relate it to a known threat. These domains are typically newly observed or receive a low amount of traffic. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Impact:EC2/WinRMBruteForce ### An EC2 instance is performing an outbound Windows Remote Management brute force attack. **Default severity: Low\$1** **Note** This finding's severity is low if your EC2 instance was the target of a brute force attack. This finding's severity is high if your EC2 instance is the actor being used to perform the brute force attack. + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is performing a Windows Remote Management (WinRM) brute force attack aimed at gaining access to the Windows Remote Management service on Windows-based systems. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Recon:EC2/PortProbeEMRUnprotectedPort ### An EC2 instance has an unprotected EMR related port which is being probed by a known malicious host. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that an EMR related sensitive port on the listed EC2 instance that is part of a cluster in your AWS environment is not blocked by a security group, an access control list (ACL), or an on-host firewall such as Linux IPTables. This finding also informs that known scanners on the Internet are actively probing this port. Ports that can trigger this finding, such as port 8088 (YARN Web UI port), could potentially be used for remote code execution. **Remediation recommendations:** You should block open access to ports on clusters from the internet and restrict access only to specific IP addresses that require access to these ports. For more information see, [Security Groups for EMR Clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security-groups.html). ## Recon:EC2/PortProbeUnprotectedPort ### An EC2 instance has an unprotected port that is being probed by a known malicious host. **Default severity: Low\$1** **Note** This finding's default severity is Low. However, if the port that is being probed, is used by Elasticsearch (9200 or 9300), the finding's severity is High. + **Data source: **VPC flow logs This finding informs you that a port on the listed EC2 instance in your AWS environment is not blocked by a security group, access control list (ACL), or an on-host firewall such as Linux IPTables, and that known scanners on the internet are actively probing it. If the identified unprotected port is 22 or 3389 and you are using these ports to connect to your instance, you can still limit exposure by allowing access to these ports only to the IP addresses from your corporate network IP address space. To restrict access to port 22 on Linux, see [Authorizing Inbound Traffic for Your Linux Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html). To restrict access to port 3389 on Windows, see [Authorizing Inbound Traffic for Your Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/authorizing-access-to-an-instance.html). GuardDuty doesn't generate this finding for ports 443 and 80. **Remediation recommendations:** There may be cases in which instances are intentionally exposed, for example if they are hosting web servers. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criteria should use the **Finding type** attribute with a value of `Recon:EC2/PortProbeUnprotectedPort`. The second filter criteria should match the instance or instances that serve as a bastion host. You can use either the **Instance image ID** attribute or the **Tag** value attribute, depending on which criteria is identifiable with the instances that host these tools. For more information about creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). If this activity is unexpected, your instance is likely compromised, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Recon:EC2/Portscan ### An EC2 instance is performing outbound port scans to a remote host. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that the listed EC2 instance in your AWS environment is engaged in a possible port scan attack because it is trying to connect to multiple ports over a short period of time. The purpose of a port scan attack is to locate open ports to discover which services the machine is running and to identify its operating system. **Remediation recommendations:** This finding can be a false positive when vulnerability assessment applications are deployed on EC2 instances in your environment because these applications conduct port scans to alert you about misconfigured open ports. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criteria should use the **Finding type** attribute with a value of `Recon:EC2/Portscan`. The second filter criteria should match the instance or instances that host these vulnerability assessment tools. You can use either the **Instance image ID** attribute or the **Tag** value attribute depending on which criteria are identifiable with the instances that host these tools. For more information about creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). If this activity is unexpected, your instance is likely compromised, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/BlackholeTraffic ### An EC2 instance is attempting to communicate with an IP address of a remote host that is a known black hole. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you the listed EC2 instance in your AWS environment might be compromised because it is trying to communicate with an IP address of a black hole (or sink hole). Black holes are places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn't reach its intended recipient. A black hole IP address specifies a host machine that is not running or an address to which no host has been assigned. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/BlackholeTraffic\$1DNS ### An EC2 instance is querying a domain name that is being redirected to a black hole IP address. **Default severity: Medium** + **Data source: **DNS logs This finding informs you the listed EC2 instance in your AWS environment might be compromised because it is querying a domain name that is being redirected to a black hole IP address. Black holes are places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn't reach its intended recipient. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/DGADomainRequest.B ### An EC2 instance is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed EC2 instance in your AWS environment is trying to query domain generation algorithm (DGA) domains. Your EC2 instance might be compromised. DGAs are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control (C&C) servers. Command and control servers are computers that issue commands to members of a botnet, which is a collection of internet-connected devices that are infected and controlled by a common type of malware. The large number of potential rendezvous points makes it difficult to effectively shut down botnets because infected computers attempt to contact some of these domain names every day to receive updates or commands. **Note** This finding is based on analysis of domain names using advanced heuristics and may identify new DGA domains that are not present in threat intelligence feeds. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/DGADomainRequest.C\$1DNS ### An EC2 instance is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed EC2 instance in your AWS environment is trying to query domain generation algorithm (DGA) domains. Your EC2 instance might be compromised. DGAs are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control (C&C) servers. Command and control servers are computers that issue commands to members of a botnet, which is a collection of internet-connected devices that are infected and controlled by a common type of malware. The large number of potential rendezvous points makes it difficult to effectively shut down botnets because infected computers attempt to contact some of these domain names every day to receive updates or commands. **Note** This finding is based on known DGA domains from GuardDuty's threat intelligence feeds. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/DNSDataExfiltration ### An EC2 instance is exfiltrating data through DNS queries. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed EC2 instance in your AWS environment is running malware that uses DNS queries for outbound data transfers. This type of data transfer is indicative of a compromised instance and could result in the exfiltration of data. DNS traffic is not typically blocked by firewalls. For example, malware in a compromised EC2 instance can encode data, (such as your credit card number), into a DNS query and send it to a remote DNS server that is controlled by an attacker. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/DriveBySourceTraffic\$1DNS ### An EC2 instance is querying a domain name of a remote host that is a known source of Drive-By download attacks. **Default severity: High** + **Data source: **DNS logs This finding informs you that the listed EC2 instance in your AWS environment might be compromised because it is querying a domain name of a remote host that is a known source of drive-by download attacks. These are unintended downloads of computer software from the internet that can trigger an automatic installation of a virus, spyware, or malware. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/DropPoint ### An EC2 instance is attempting to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that an EC2 instance in your AWS environment is trying to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/DropPoint\$1DNS ### An EC2 instance is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware. **Default severity: Medium** + **Data source: **DNS logs This finding informs you that an EC2 instance in your AWS environment is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Trojan:EC2/PhishingDomainRequest\$1DNS ### An EC2 instance is querying domains involved in phishing attacks. Your EC2 instance might be compromised. **Default severity: High** + **Data source: **DNS logs This finding informs you that there is an EC2 instance in your AWS environment that is trying to query a domain involved in phishing attacks. Phishing domains are set up by someone posing as a legitimate institution in order to induce individuals to provide sensitive data, such as personally identifiable information, banking and credit card details, and passwords. Your EC2 instance may be trying to retrieve sensitive data stored on a phishing website, or it may be attempting to set up a phishing website. Your EC2 instance might be compromised. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## UnauthorizedAccess:EC2/MaliciousIPCaller.Custom ### An EC2 instance is making connections to an IP address on a custom threat list. **Default severity: Medium** + **Data source: **VPC flow logs This finding informs you that an EC2 instance in your AWS environment is communicating with an IP address included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on uploaded threat lists. The threat list used to generate this finding will be listed in the finding's details. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## UnauthorizedAccess:EC2/MetadataDNSRebind ### An EC2 instance is performing DNS lookups that resolve to the instance metadata service. **Default severity: High** + **Data source: **DNS logs This finding informs you that an EC2 instance in your AWS environment is querying a domain that resolves to the EC2 metadata IP address (169.254.169.254). A DNS query of this kind may indicate that the instance is a target of a DNS rebinding technique. This technique can be used to obtain metadata from an EC2 instance, including the IAM credentials associated with the instance. DNS rebinding involves tricking an application running on the EC2 instance to load return data from a URL, where the domain name in the URL resolves to the EC2 metadata IP address (169.254.169.254). This causes the application to access EC2 metadata and possibly make it available to the attacker. It is possible to access EC2 metadata using DNS rebinding only if the EC2 instance is running a vulnerable application that allows injection of URLs, or if someone accesses the URL in a web browser running on the EC2 instance. **Remediation recommendations:** In response to this finding, you should evaluate if there is a vulnerable application running on the EC2 instance, or if someone used a browser to access the domain identified in the finding. If the root cause is a vulnerable application, you should fix the vulnerability. If someone browsed the identified domain, you should block the domain or prevent users from accessing it. If you determine this finding was related to either case above, [revoke the session associated with the EC2 instance](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html). Some AWS customers intentionally map the metadata IP address to a domain name on their authoritative DNS servers. If this is the case in your environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criteria should use the **Finding type** attribute with a value of `UnauthorizedAccess:EC2/MetaDataDNSRebind`. The second filter criteria should be **DNS request domain** and the value should match the domain you have mapped to the metadata IP address (169.254.169.254). For more information on creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). ## UnauthorizedAccess:EC2/RDPBruteForce ### An EC2 instance has been involved in RDP brute force attacks. **Default severity: Low\$1** **Note** This finding's severity is low if your EC2 instance was the target of a brute force attack. This finding's severity is high if your EC2 instance is the actor being used to perform the brute force attack. + **Data source: **VPC flow logs This finding informs you that an EC2 instance in your AWS environment was involved in a brute force attack aimed at obtaining passwords to RDP services on Windows-based systems. This can indicate unauthorized access to your AWS resources. **Remediation recommendations:** If your instance's **Resource Role** is `ACTOR`, this indicates your instance has been used to perform RDP brute force attacks. Unless this instance has a legitimate reason to be contacting the IP address listed as the `Target`, it is recommended that you assume your instance has been compromised and take the actions listed in [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). If your instance's **Resource Role** is `TARGET`, this finding can be remediated by securing your RDP port to only trusted IPs through Security Groups, ACLs, or firewalls. For more information see [Tips for securing your EC2 instances (Linux)](https://aws.amazon.com/articles/tips-for-securing-your-ec2-instance/). ## UnauthorizedAccess:EC2/SSHBruteForce ### An EC2 instance has been involved in SSH brute force attacks. **Default severity: Low\$1** **Note** This finding's severity is low if a brute force attack is aimed at one of your EC2 instances. This finding's severity is high if your EC2 instance is being used to perform the brute force attack. + **Data source: **VPC flow logs This finding informs you that an EC2 instance in your AWS environment was involved in a brute force attack aimed at obtaining passwords to SSH services on Linux-based systems. This can indicate unauthorized access to your AWS resources. **Note** This finding is generated only through monitoring traffic on port 22. If your SSH services are configured to use other ports, this finding is not generated. **Remediation recommendations:** If the target of the brute force attempt is a bastion host, this may represent expected behavior for your AWS environment. If this is the case, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criteria should use the **Finding type** attribute with a value of `UnauthorizedAccess:EC2/SSHBruteForce`. The second filter criteria should match the instance or instances that serve as a bastion host. You can use either the **Instance image ID** attribute or the **Tag** value attribute depending on which criteria is identifiable with the instances that host these tools. For more information about creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). If this activity is not expected for your environment and your instance's **Resource Role** is `TARGET`, this finding can be remediated by securing your SSH port to only trusted IPs through Security Groups, ACLs, or firewalls. For more information, see [Tips for securing your EC2 instances (Linux)](https://aws.amazon.com/articles/tips-for-securing-your-ec2-instance/). If your instance's **Resource Role** is `ACTOR`, this indicates the instance has been used to perform SSH brute force attacks. Unless this instance has a legitimate reason to be contacting the IP address listed as the `Target`, it is recommended that you assume your instance has been compromised and take the actions listed in [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## UnauthorizedAccess:EC2/TorClient ### Your EC2 instance is making connections to a Tor Guard or an Authority node. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that an EC2 instance in your AWS environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority nodes act as initial gateways into a Tor network. This traffic can indicate that this EC2 instance has been compromised and is acting as a client on a Tor network. This finding may indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## UnauthorizedAccess:EC2/TorRelay ### Your EC2 instance is making connections to a Tor network as a Tor relay. **Default severity: High** + **Data source: **VPC flow logs This finding informs you that an EC2 instance in your AWS environment is making connections to a Tor network in a manner that suggests that it's acting as a Tor relay. Tor is software for enabling anonymous communication. Tor increases anonymity of communication by forwarding the client's possibly illicit traffic from one Tor relay to another. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). # GuardDuty IAM finding types IAM finding types The following findings are specific to IAM entities and access keys and always have a **Resource Type** of `AccessKey`. The severity and details of the findings differ based on the finding type. The findings listed here include the data sources and models used to generate that finding type. For more information, see [GuardDuty foundational data sources](guardduty_data-sources.md). For all IAM-related findings, we recommend that you examine the entity in question and ensure that their permissions follow the best practice of least privilege. If the activity is unexpected, the credentials may be compromised. For information about remediating findings, see [Remediating potentially compromised AWS credentials](compromised-creds.md). **Topics** + [ ## CredentialAccess:IAMUser/AnomalousBehavior ](#credentialaccess-iam-anomalousbehavior) + [ ## CredentialAccess:IAMUser/CompromisedCredentials ](#credentialaccess-iam-compromisedcredentials) + [ ## DefenseEvasion:IAMUser/AnomalousBehavior ](#defenseevasion-iam-anomalousbehavior) + [ ## DefenseEvasion:IAMUser/BedrockLoggingDisabled ](#defenseevasion-iam-bedrockloggingdisabled) + [ ## Discovery:IAMUser/AnomalousBehavior ](#discovery-iam-anomalousbehavior) + [ ## Exfiltration:IAMUser/AnomalousBehavior ](#exfiltration-iam-anomalousbehavior) + [ ## Impact:IAMUser/AnomalousBehavior ](#impact-iam-anomalousbehavior) + [ ## InitialAccess:IAMUser/AnomalousBehavior ](#initialaccess-iam-anomalousbehavior) + [ ## PenTest:IAMUser/KaliLinux ](#pentest-iam-kalilinux) + [ ## PenTest:IAMUser/ParrotLinux ](#pentest-iam-parrotlinux) + [ ## PenTest:IAMUser/PentooLinux ](#pentest-iam-pentoolinux) + [ ## Persistence:IAMUser/AnomalousBehavior ](#persistence-iam-anomalousbehavior) + [ ## Policy:IAMUser/RootCredentialUsage ](#policy-iam-rootcredentialusage) + [ ## Policy:IAMUser/ShortTermRootCredentialUsage ](#policy-iam-user-short-term-root-credential-usage) + [ ## PrivilegeEscalation:IAMUser/AnomalousBehavior ](#privilegeescalation-iam-anomalousbehavior) + [ ## Recon:IAMUser/MaliciousIPCaller ](#recon-iam-maliciousipcaller) + [ ## Recon:IAMUser/MaliciousIPCaller.Custom ](#recon-iam-maliciousipcallercustom) + [ ## Recon:IAMUser/TorIPCaller ](#recon-iam-toripcaller) + [ ## Stealth:IAMUser/CloudTrailLoggingDisabled ](#stealth-iam-cloudtrailloggingdisabled) + [ ## Stealth:IAMUser/PasswordPolicyChange ](#stealth-iam-passwordpolicychange) + [ ## UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B ](#unauthorizedaccess-iam-consoleloginsuccessb) + [ ## UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS ](#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) + [ ## UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS ](#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) + [ ## UnauthorizedAccess:IAMUser/MaliciousIPCaller ](#unauthorizedaccess-iam-maliciousipcaller) + [ ## UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom ](#unauthorizedaccess-iam-maliciousipcallercustom) + [ ## UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS ](#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws) + [ ## UnauthorizedAccess:IAMUser/TorIPCaller ](#unauthorizedaccess-iam-toripcaller) ## CredentialAccess:IAMUser/AnomalousBehavior ### An API used to gain access to an AWS environment was invoked in an anomalous way. **Default severity: Medium** + **Data source: **CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with the credential access stage of an attack when an adversary is attempting to collect passwords, usernames, and access keys for your environment. The APIs in this category are `GetPasswordData`, `GetSecretValue`, `BatchGetSecretValue`, and `GenerateDbAuthToken`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## CredentialAccess:IAMUser/CompromisedCredentials ### An IAM access key was identified as potentially compromised by Amazon threat intelligence. **Default severity: High** + **Feature: **Included with Foundational Data Source Protection **Full description:** This finding informs you that an IAM access key associated with your AWS account has been identified as potentially compromised by Amazon threat intelligence. The compromised credential was then used to invoke API operations in your AWS environment. The list of API calls made using the compromised credential, along with the count and timestamps of each call, the access key involved, and the source IP address are included in the finding details. The credential compromise in this finding is identified by Amazon threat intelligence. AWS monitors potentially compromised credentials through usage patterns and generates this finding when such a credential is observed being used. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## DefenseEvasion:IAMUser/AnomalousBehavior ### An API used to evade defensive measures was invoked in an anomalous way. **Default severity: Medium** + **Data source: **CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with defense evasion tactics where an adversary is trying to cover their tracks and avoid detection. APIs in this category are typically delete, disable, or stop operations, such as, `DeleteFlowLogs`, `DisableAlarmActions`, or `StopLogging`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## DefenseEvasion:IAMUser/BedrockLoggingDisabled ### Logging for Amazon Bedrock was disabled. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that logging was disabled for Bedrock model invocations in your account. This can be an attacker's attempt to hide malicious activity like data exfiltration or abuse of AI models. Disabling logging removes visibility into the data sent to models and how the models are used. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Discovery:IAMUser/AnomalousBehavior ### An API commonly used to discover resources was invoked in an anomalous way. **Default severity: Low** + **Data source: **CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with the discovery stage of an attack when an adversary is gathering information to determine if your AWS environment is susceptible to a broader attack. APIs in this category are typically get, describe, or list operations, such as, `DescribeInstances`, `GetRolePolicy`, or `ListAccessKeys`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Exfiltration:IAMUser/AnomalousBehavior ### An API commonly used to collect data from an AWS environment was invoked in an anomalous way. **Default severity: High** + **Data source: **CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with exfiltration tactics where an adversary is trying to collect data from your network using packaging and encryption to avoid detection. APIs for this finding type are management (control-plane) operations only and are typically related to S3, snapshots, and databases, such as, `PutBucketReplication`, `CreateSnapshot`, or `RestoreDBInstanceFromDBSnapshot`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Impact:IAMUser/AnomalousBehavior ### An API commonly used to tamper with data or processes in an AWS environment was invoked in an anomalous way. **Default severity: High** + **Data source: **CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with impact tactics where an adversary is trying to disrupt operations and manipulate, interrupt, or destroy data in your account. APIs for this finding type are typically delete, update, or put operations, such as, `DeleteSecurityGroup`, `UpdateUser`, or `PutBucketPolicy`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## InitialAccess:IAMUser/AnomalousBehavior ### An API commonly used to gain unauthorized access to an AWS environment was invoked in an anomalous way. **Default severity: Medium** + **Data source: **CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with the initial access stage of an attack when an adversary is attempting to establish access to your environment. APIs in this category are typically get token, or session operations, such as, `StartSession`, or `GetAuthorizationToken`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## PenTest:IAMUser/KaliLinux ### An API was invoked from a Kali Linux machine. **Default severity: Medium** + **Data source: **CloudTrail management event This finding informs you that a machine running Kali Linux is making API calls using credentials that belong to the listed AWS account in your environment. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## PenTest:IAMUser/ParrotLinux ### An API was invoked from a Parrot Security Linux machine. **Default severity: Medium** + **Data source: **CloudTrail management event This finding informs you that a machine running Parrot Security Linux is making API calls using credentials that belong to the listed AWS account in your environment. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## PenTest:IAMUser/PentooLinux ### An API was invoked from a Pentoo Linux machine. **Default severity: Medium** + **Data source: **CloudTrail management event This finding informs you that a machine running Pentoo Linux is making API calls using credentials that belong to the listed AWS account in your environment. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Persistence:IAMUser/AnomalousBehavior ### An API commonly used to maintain unauthorized access to an AWS environment was invoked in an anomalous way. **Default severity: Medium** + **Data source: **CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with persistence tactics where an adversary has gained access to your environment and is attempting to maintain that access. APIs in this category are typically create, import, or modify operations, such as, `CreateAccessKey`, `ImportKeyPair`, or `ModifyInstanceAttribute`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Policy:IAMUser/RootCredentialUsage ### An API was invoked using root user sign-in credentials. **Default severity: Low** + **Data source: **CloudTrail management events or CloudTrail data events for S3 This finding informs you that the root user sign-in credentials of the listed AWS account in your environment are being used to make requests to AWS services. It is recommended that users never use root user sign-in credentials to access AWS services. Instead, AWS services should be accessed using least privilege temporary credentials from AWS Security Token Service (STS). For situations where AWS STS is not supported, IAM user credentials are recommended. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). **Note** If S3 Protection is enabled for the account, then this finding may be generated in response to the attempts to run S3 data plane operations on Amazon S3 resources by using the root user sign-in credentials of the AWS account. The API call used will be listed in the finding details. If S3 Protection is not enabled, then this finding can only be triggered by Event log APIs. For more information about S3 Protection, see [S3 Protection](s3-protection.md). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Policy:IAMUser/ShortTermRootCredentialUsage ### An API was invoked by using restricted root user credentials. **Default severity: Low** + **Data source: **AWS CloudTrail management events or AWS CloudTrail data events for S3 This finding informs you that restricted user credentials created for the listed AWS account in your environment, are being used to make requests to AWS services. It is recommended to use root user credentials only for those [tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). When possible, access the AWS services by using least privilege IAM roles with temporary credentials from AWS Security Token Service (AWS STS). For scenarios where AWS STS is not supported, the best practice is to use IAM user credentials. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) and [Root user best practices for your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html) in the *IAM User Guide*. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## PrivilegeEscalation:IAMUser/AnomalousBehavior ### An API commonly used to obtain high-level permissions to an AWS environment was invoked in an anomalous way. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single [user identity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). The API observed is commonly associated with privilege escalation tactics where an adversary is attempting to gain higher-level permissions to an environment. APIs in this category typically involve operations that change IAM policies, roles, and users, such as, `AssociateIamInstanceProfile`, `AddUserToGroup`, or `PutUserPolicy`. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Recon:IAMUser/MaliciousIPCaller ### An API was invoked from a known malicious IP address. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that an API operation that can list or describe AWS resources in an account within your environment was invoked from an IP address that is included on a threat list. An attacker may use stolen credentials to perform this type of reconnaissance of your AWS resources in order to find more valuable credentials or determine the capabilities of the credentials they already have. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Recon:IAMUser/MaliciousIPCaller.Custom ### An API was invoked from a known malicious IP address. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that an API operation that can list or describe AWS resources in an account within your environment was invoked from an IP address that is included on a custom threat list. The threat list used will be listed in the finding's details. An attacker might use stolen credentials to perform this type of reconnaissance of your AWS resources in order to find more valuable credentials or determine the capabilities of the credentials they already have. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Recon:IAMUser/TorIPCaller ### An API was invoked from a Tor exit node IP address. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that an API operation that can list or describe AWS resources in an account within your environment was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. An attacker would use Tor to mask their true identity. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Stealth:IAMUser/CloudTrailLoggingDisabled ### AWS CloudTrail logging was disabled. **Default severity: Low** + **Data source: **CloudTrail management events This finding informs you that a CloudTrail trail within your AWS environment was disabled. This can be an attacker's attempt to disable logging to cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes. This finding can be triggered by a successful deletion or update of a trail. This finding can also be triggered by a successful deletion of an S3 bucket that stores the logs from a trail that is associated with GuardDuty. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Stealth:IAMUser/PasswordPolicyChange ### Account password policy was weakened. **Default severity: Low\$1** **Note** This finding's severity can be Low, Medium, or High depending on the severity of the changes made to password policy. + **Data source: **CloudTrail management events The AWS account password policy was weakened on the listed account within your AWS environment. For example, it was deleted or updated to require fewer characters, not require symbols and numbers, or required to extend the password expiration period. This finding can also be triggered by an attempt to update or delete your AWS account password policy. The AWS account password policy defines the rules that govern what kinds of passwords can be set for your IAM users. A weaker password policy permits the creation of passwords that are easy to remember and potentially easier to guess, thereby creating a security risk. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B ### Multiple worldwide successful console logins were observed. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that multiple successful console logins for the same IAM user were observed around the same time in various geographical locations. Such anomalous and risky access location patterns indicate potential unauthorized access to your AWS resources. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS ### Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another account within AWS. **Default severity: High\$1** **Note** This finding's default severity is High. However, if the API was invoked by an account affiliated with your AWS environment, the severity is Medium. + **Data source: **CloudTrail management events or CloudTrail data events for S3 This finding informs you when your Amazon EC2 instance credentials are used to invoke APIs from an IP address or an Amazon VPC endpoint, that is owned by a different AWS account than the one that the associated Amazon EC2 instance is running in. VPC endpoint detection is only available for services that support network activity events for VPC endpoints. For information about services that support network activity events for VPC endpoints, see [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide*. AWS does not recommend redistributing temporary credentials outside of the entity that created them (for example, AWS applications, Amazon EC2, or AWS Lambda). However, authorized users can export credentials from their Amazon EC2 instances to make legitimate API calls. If the `remoteAccountDetails.Affiliated` field is `True` the API was invoked from an account associated with the same administrator account. To rule out a potential attack and verify the legitimacy of the activity, contact the AWS account owner or IAM principal to whom these credentials are assigned. **Note** If GuardDuty observes continued activity from a remote account, its machine learning (ML) model will identify this as an expected behavior. Therefore, GuardDuty will stop generating this finding for activity from that remote account. GuardDuty will continue to generate findings for new behavior from other remote accounts and will re-evaluate learned remote accounts as the behavior changes over time. **Remediation recommendations:** This finding gets generated when AWS API requests are made inside AWS through an Amazon EC2 instance outside of your AWS account, by using your Amazon EC2 instance's session credentials. It may be customary, such as for Transit Gateway architecture in a [hub and spoke](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-vpc-solution.html) configuration, to route traffic through a single hub egress VPC with AWS service endpoints. If this behavior is expected, then GuardDuty recommends you to use [Suppression rules](findings_suppression-rule.md) and create a rule with a two-filter criteria. The first criteria is the finding type, which, in this case, is UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS. The second filter criteria is the remote account ID of the remote account details. In response to this finding you can use the following workflow to determine a course of action: 1. Identify the remote account involved from the `service.action.awsApiCallAction.remoteAccountDetails.accountId` field. 1. Determine if that account is affiliated with your GuardDuty environment from the `service.action.awsApiCallAction.remoteAccountDetails.affiliated` field. 1. If the account **is** affiliated, contact the remote account owner and the owner of the Amazon EC2 instance credentials to investigate. If the account **is not** affiliated, then the first step is to evaluate if that account is associated with your organization but is not a part of your GuardDuty multiple-account environment set up, or if GuardDuty has not yet been enabled in this account. Next, contact the owner of the Amazon EC2 instance credentials to determine if there is a use case for a remote account to use these credentials. 1. If the owner of the credentials does not recognize the remote account the credentials may have been compromised by a threat actor operating within AWS. You should take the steps recommended in [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md), to secure your environment. Additionally, you can [submit an abuse report](https://support.aws.amazon.com/#/contacts/report-abuse) to the AWS Trust and Safety team to begin an investigation into the remote account. When submitting your report to AWS Trust and Safety, include the full JSON details of the finding. ## UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS ### Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address. **Default severity: High** + **Data source: **CloudTrail management events or CloudTrail data events for S3 This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an EC2 instance in your AWS environment. The listed EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS. AWS does not recommend redistributing temporary credentials outside of the entity that created them (for example, AWS applications, EC2, or Lambda). However, authorized users can export credentials from their EC2 instances to make legitimate API calls. To rule out a potential attack and verify the legitimacy of the activity, validate if the use of instance credentials from the remote IP in the finding is expected. **Note** If GuardDuty observes continued activity from a remote host, its machine learning (ML) model will identify this as an expected behavior. Therefore, GuardDuty will stop generating this finding for activity from that remote host. GuardDuty will continue to generate findings for new behavior from other remote hosts and will re-evaluate learned remote hosts as the behavior changes over time. **Remediation recommendations:** This finding is generated when networking is configured to route internet traffic such that it egresses from an on-premises gateway rather than from a VPC Internet Gateway (IGW). Common configurations, such as using [AWS Outposts](https://docs.aws.amazon.com/outposts/latest/userguide/), or VPC VPN connections, can result in traffic routed this way. If this is expected behavior, we recommend that you use suppression rules and create a rule that consists of two filter criteria. The first criteria is **finding type**, which should be `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`. The second filter criteria is **API caller IPv4 Address** with the IP address or CIDR range of your on-premises internet gateway. To learn more about creating suppression rules see [Suppression rules in GuardDuty](findings_suppression-rule.md). **Note** If GuardDuty observes continued activity from an external source its machine learning model will identify this as expected behavior and stop generating this finding for activity from that source. GuardDuty will continue to generate findings for new behavior from other sources, and will reevaluate learned sources as behavior changes over time. If this activity is unexpected your credentials may be compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:IAMUser/MaliciousIPCaller ### An API was invoked from a known malicious IP address. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your AWS privileges) was invoked from a known malicious IP address. This can indicate unauthorized access to AWS resources within your environment. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom ### An API was invoked from an IP address on a custom threat list. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify AWS privileges) was invoked from an IP address that is included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. This can indicate unauthorized access to AWS resources within your environment. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS ### Credentials that were created exclusively for an AWS Lambda resource are being used from an IP address outside of AWS. **Default severity: High** + **Data source: **CloudTrail management events or CloudTrail data events for S3 This finding informs you that a host outside of AWS attempted to run AWS API operations using temporary AWS credentials that were created on a AWS Lambda resource in your AWS environment. The listed Lambda resource might be compromised, and the temporary credentials from this Lambda might have been exfiltrated to a remote host outside of AWS. AWS does not recommend redistributing temporary credentials outside of the entity that created them (for example AWS applications like Amazon Elastic Compute Cloud (Amazon EC2), or AWS Lambda). However, authorized users can export credentials from their Lambda resources to make legitimate API calls. To rule out a potential attack and verify the legitimacy of the activity, validate if the use of instance credentials from the remote IP in the finding is expected. **Note** If GuardDuty observes continued activity from a remote host, its machine learning (ML) model will identify this as an expected behavior. Therefore, GuardDuty will stop generating this finding for activity from that remote host. GuardDuty will continue to generate findings for new behavior from other remote hosts and will re-evaluate learned remote hosts as the behavior changes over time. **Remediation recommendations:** This finding gets generated when networking is configured to route the internet traffic such that it egresses from an on-premises gateway rather than from a VPC Internet Gateway (IGW). Common configurations, such as using [AWS Outposts](https://docs.aws.amazon.com/outposts/latest/userguide/) or VPC VPN connections, can result in traffic routed this way. If this is expected behavior, then GuardDuty recommends using [Suppression rules](findings_suppression-rule.md) to create a rule with a two-filter criteria. The first criteria is **finding type**, which should be `UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS`. The second filter criteria is **API caller IPv4 Address** with the IP address or CIDR range for your on-premises internet gateway. If this activity is unexpected, your credentials may have been compromised. For information about steps to remediate this finding type, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:IAMUser/TorIPCaller ### An API was invoked from a Tor exit node IP address. **Default severity: Medium** + **Data source: **CloudTrail management events This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your AWS privileges) was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). # GuardDuty attack sequence finding types Attack sequence finding types GuardDuty detects an attack sequence when a specific sequence of multiple actions aligns with a potentially suspicious activity. An attack sequence includes **signals** such as API activities and GuardDuty findings. When GuardDuty observes a group of signals in a specific sequence that indicates an in-progress, ongoing, or a recent security threat, GuardDuty generates an attack sequence finding. GuardDuty considers individual API activities as [weak signals](guardduty_concepts.md#guardduty-weak-signals-attack-sequence) because they don't present themselves as potential threat. The attack sequence detections focus on potential compromise of Amazon S3 data (that can be a part of a broader ransomware attack), compromised AWS credentials, compromised Amazon EKS clusters, compromised Amazon ECS clusters, and compromised Amazon EC2 instance groups. The following sections provide details about each of the attack sequences. **Topics** + [ ## AttackSequence:EKS/CompromisedCluster ](#attack-sequence-eks-compromised-cluster) + [ ## AttackSequence:ECS/CompromisedCluster ](#attack-sequence-ecs-compromised-cluster) + [ ## AttackSequence:EC2/CompromisedInstanceGroup ](#attack-sequence-ec2-compromised-instance-group) + [ ## AttackSequence:IAM/CompromisedCredentials ](#attack-sequence-iam-compromised-credentials) + [ ## AttackSequence:S3/CompromisedData ](#attack-sequence-s3-compromised-data) ## AttackSequence:EKS/CompromisedCluster ### A sequence of suspicious actions performed by potentially compromised Amazon EKS cluster. + Default severity: Critical + Data sources: + [EKS audit log events](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html#guardduty_k8s-audit-logs) + [Runtime Monitoring for Amazon EKS](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-eks.html) + [Amazon EKS malware detection for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) + [AWS CloudTrail data events for S3](s3-protection.md#guardduty_s3dataplane) + [AWS CloudTrail management events](guardduty_data-sources.md#guardduty_controlplane) + [VPC Flow Logs](guardduty_data-sources.md#guardduty_vpc) + [Route53 Resolver DNS query logs](guardduty_data-sources.md#guardduty_dns) This finding informs you that GuardDuty detected a sequence of suspicious actions that indicates a potentially compromised Amazon EKS cluster in your environment. Multiple suspicious and anomalous attack behaviors, such as malicious processes or connection with malicious endpoints, were observed in the same Amazon EKS cluster. GuardDuty uses its proprietary correlation algorithms to observe and identify the sequence of actions performed by using the IAM credential. GuardDuty evaluates findings across protection plans and other signal sources to identify common and emerging attack patterns. GuardDuty uses multiple factors to surface threats, such as IP reputation, API sequences, user configuration, and potentially impacted resources. **Remediation actions**: If this behavior is unexpected in your environment, then your Amazon EKS cluster may be compromised. For comprehensive remediation guidance, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md) and [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). Additionally, since AWS credentials may have been compromised through the EKS cluster, see [Remediating potentially compromised AWS credentials](compromised-creds.md). For steps to remediate other resources that may have been potentially impacted, see [Remediating detected GuardDuty security findings](guardduty_remediate.md). ## AttackSequence:ECS/CompromisedCluster ### A sequence of suspicious actions performed by potentially compromised Amazon ECS cluster. + Default severity: Critical + Data sources: + [Runtime Monitoring for Amazon ECS Fargate](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-ecs-fargate.html) + [Runtime Monitoring for EC2 Instances in Amazon ECS](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-ec2.html) + [ GuardDuty Malware Protection for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) This finding informs you that GuardDuty detected a sequence of suspicious signals indicating a potentially compromised Amazon ECS cluster in your environment. These signals may include malicious processes, communications with malicious endpoints, or cryptocurrency mining behaviors. GuardDuty uses proprietary correlation algorithms and multiple detection factors to identify sequences of suspicious actions within Amazon ECS clusters. Through analysis across protection plans and various signal sources, GuardDuty identifies common and emerging attack patterns, providing high-confidence detection of potential compromises. **Remediation actions**: If this behavior is unexpected in your environment, your Amazon ECS cluster may be compromised. For threat containment recommendations, see [Remediating a potentially compromised ECS cluster](compromised-ecs.md). Note that the compromise may extend to one or more ECS tasks or container workloads, which could have been used to create or modify AWS resources. For comprehensive remediation guidance covering potentially impacted resources, see [Remediating detected GuardDuty security findings](guardduty_remediate.md). ## AttackSequence:EC2/CompromisedInstanceGroup ### A sequence of suspicious actions indicating potentially compromised Amazon EC2 instances. + Default severity: Critical + Data sources: + [Runtime Monitoring for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-ec2.html) + [ Malware detection for Amazon EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html) + [VPC Flow Logs](guardduty_data-sources.md#guardduty_vpc) + [Route53 Resolver DNS query logs](guardduty_data-sources.md#guardduty_dns) This finding indicates GuardDuty detected a sequence of suspicious actions suggesting potential compromise across a group of Amazon EC2 instances in your environment. Instance groups typically represent applications managed through infrastructure-as-code, sharing similar configurations such as Auto-scaling group, IAM instance profile role, AWS CloudFormation stack, Amazon EC2 launch template, AMI or VPC ID. GuardDuty observed multiple suspicious behaviors across one or more instances, including: + Malicious processes + Malicious files + Suspicious network connections + Cryptocurrency mining activities + Suspicious usage of Amazon EC2 instance credentials **Detection Method**: GuardDuty employs proprietary correlation algorithms to identify suspicious action sequences within Amazon EC2 instances. By evaluating findings across protection plans and various signal sources, GuardDuty identifies attack patterns using multiple factors such as IP and domain reputation and suspicious running processes. **Remediation actions**: If this behavior is unexpected in your environment, your Amazon EC2 instances may be compromised. The compromise could involve: + Multiple processes + Instance credentials that may have been used to modify Amazon EC2 instances or other AWS resources For threat containment recommendations, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). Note that the compromise may extend to one or more Amazon EC2 instances and involve compromised processes or instance credentials that could have been used to create or modify Amazon EC2 instances or other AWS resources. For comprehensive remediation guidance covering potentially impacted resources, see [Remediating detected GuardDuty security findings](guardduty_remediate.md). ## AttackSequence:IAM/CompromisedCredentials ### A sequence of API requests that were invoked by using potentially compromised AWS credentials. + Default severity: Critical + Data source: [AWS CloudTrail management events](guardduty_data-sources.md#guardduty_controlplane) This finding informs you that GuardDuty detected a sequence of suspicious actions made by using AWS credentials that impacts one or more resources in your environment. Multiple suspicious and anomalous attack behaviors were observed by the same credentials, resulting in higher confidence that the credentials are being misused. GuardDuty uses its proprietary correlation algorithms to observe and identify the sequence of actions performed by using the IAM credential. GuardDuty evaluates findings across protection plans and other signal sources to identify common and emerging attack patterns. GuardDuty uses multiple factors to surface threats, such as IP reputation, API sequences, user configuration, and potentially impacted resources. **Remediation actions**: If this behavior is unexpected in your environment, then your AWS credentials may have been compromised. For steps to remediate, see [Remediating potentially compromised AWS credentials](compromised-creds.md). The compromised credentials may have been used to create or modify additional resources, such as Amazon S3 buckets, AWS Lambda functions, or Amazon EC2 instances, in your environment. For steps to remediate other resources that may have been potentially impacted, see [Remediating detected GuardDuty security findings](guardduty_remediate.md). ## AttackSequence:S3/CompromisedData ### A sequence of API requests was invoked in a potential attempt to exfiltrate or destroy data in Amazon S3. + Default severity: Critical + Data sources: [AWS CloudTrail data events for S3](s3-protection.md#guardduty_s3dataplane) and [AWS CloudTrail management events](guardduty_data-sources.md#guardduty_controlplane) This finding informs you that GuardDuty detected a sequence of suspicious actions indicative of data compromise in one or more Amazon Simple Storage Service (Amazon S3) buckets, by using potentially compromised AWS credentials. Multiple suspicious and anomalous attack behaviors (API requests) were observed, resulting in higher confidence of the credentials are being misused. GuardDuty uses its correlation algorithms to observe and identify the sequence of actions performed by using the IAM credential. GuardDuty then evaluates findings across protection plans and other signal sources to identify common and emerging attack patterns. GuardDuty uses multiple factors to surface threats, such as IP reputation, API sequences, user configuration, and potentially impacted resources. **Remediation actions**: If this activity is unexpected in your environment, your AWS credentials, or Amazon S3 data may have potentially exfiltrated or destroyed. For steps to remediate, see [Remediating potentially compromised AWS credentials](compromised-creds.md) and [Remediating a potentially compromised S3 bucket](compromised-s3.md). # GuardDuty S3 Protection finding types S3 Protection finding types The following findings are specific to Amazon S3 resources and will have a **Resource Type** of `S3Bucket` if the data source is **CloudTrail data events for S3**, or `AccessKey` if the data source is **CloudTrail management events**. The severity and details of the findings will differ based on the finding type and the permission associated with the bucket. The findings listed here include the data sources and models used to generate that finding type. For more information data sources and models, see [GuardDuty foundational data sources](guardduty_data-sources.md). **Important** Findings with a data source of **CloudTrail data events for S3** are only generated if you have enabled S3 Protection. By default, after July 31, 2020, S3 Protection is enabled when an account enables GuardDuty for the first time, or when a delegated GuardDuty administrator account enables GuardDuty in an existing member account. However, when a new member joins the GuardDuty organization, the organization's auto-enable preferences will apply. For information about auto-enable preferences, see [Setting organization auto-enable preferences](set-guardduty-auto-enable-preferences.md). For information about how to enable S3 Protection, see [GuardDuty S3 Protection](s3-protection.md) For all `S3Bucket` type findings, it is recommended that you examine the permissions on the bucket in question and the permissions of any users involved in the finding, if the activity is unexpected see the remediation recommendations detailed in [Remediating a potentially compromised S3 bucket](compromised-s3.md). **Topics** + [ ## Discovery:S3/AnomalousBehavior ](#discovery-s3-anomalousbehavior) + [ ## Discovery:S3/MaliciousIPCaller ](#discovery-s3-maliciousipcaller) + [ ## Discovery:S3/MaliciousIPCaller.Custom ](#discovery-s3-maliciousipcallercustom) + [ ## Discovery:S3/TorIPCaller ](#discovery-s3-toripcaller) + [ ## Exfiltration:S3/AnomalousBehavior ](#exfiltration-s3-anomalousbehavior) + [ ## Exfiltration:S3/MaliciousIPCaller ](#exfiltration-s3-maliciousipcaller) + [ ## Impact:S3/AnomalousBehavior.Delete ](#impact-s3-anomalousbehavior-delete) + [ ## Impact:S3/AnomalousBehavior.Permission ](#impact-s3-anomalousbehavior-permission) + [ ## Impact:S3/AnomalousBehavior.Write ](#impact-s3-anomalousbehavior-write) + [ ## Impact:S3/MaliciousIPCaller ](#impact-s3-maliciousipcaller) + [ ## PenTest:S3/KaliLinux ](#pentest-s3-kalilinux) + [ ## PenTest:S3/ParrotLinux ](#pentest-s3-parrotlinux) + [ ## PenTest:S3/PentooLinux ](#pentest-s3-pentoolinux) + [ ## Policy:S3/AccountBlockPublicAccessDisabled ](#policy-s3-accountblockpublicaccessdisabled) + [ ## Policy:S3/BucketAnonymousAccessGranted ](#policy-s3-bucketanonymousaccessgranted) + [ ## Policy:S3/BucketBlockPublicAccessDisabled ](#policy-s3-bucketblockpublicaccessdisabled) + [ ## Policy:S3/BucketPublicAccessGranted ](#policy-s3-bucketpublicaccessgranted) + [ ## Stealth:S3/ServerAccessLoggingDisabled ](#stealth-s3-serveraccessloggingdisabled) + [ ## UnauthorizedAccess:S3/MaliciousIPCaller.Custom ](#unauthorizedaccess-s3-maliciousipcallercustom) + [ ## UnauthorizedAccess:S3/TorIPCaller ](#unauthorizedaccess-s3-toripcaller) ## Discovery:S3/AnomalousBehavior ### An API commonly used to discover S3 objects was invoked in an anomalous way. **Default severity: Low** + **Data source: **CloudTrail data events for S3 This finding informs you that an IAM entity has invoked an S3 API to discover S3 buckets in your environment, such as `ListObjects`. This type of activity is associated with the discovery stage of an attack wherein an attacker gathers information to determine if your AWS environment is susceptible to a broader attack. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location. This API was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see [Finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Discovery:S3/MaliciousIPCaller ### An S3 API commonly used to discover resources in an AWS environment was invoked from a known malicious IP address. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an S3 API operation was invoked from an IP address that is associated with known malicious activity. The observed API is commonly associated with the discovery stage of an attack when an adversary is gathering information about your AWS environment. Examples include `GetObjectAcl` and `ListObjects`. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Discovery:S3/MaliciousIPCaller.Custom ### An S3 API was invoked from an IP address on a custom threat list. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an S3 API, such as `GetObjectAcl` or `ListObjects`, was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the **Additional information** section of a finding's details. This type of activity is associated with the discovery stage of an attack wherein an attacker is gathering information to determine if your AWS environment is susceptible to a broader attack. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Discovery:S3/TorIPCaller ### An S3 API was invoked from a Tor exit node IP address. **Default severity: Medium** + **Data source: **CloudTrail data events for S3 This finding informs you that an S3 API, such as `GetObjectAcl` or `ListObjects`, was invoked from a Tor exit node IP address. This type of activity is associated with the discovery stage of an attack wherein an attacker is gathering information to determine if your AWS environment is susceptible to a broader attack. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Exfiltration:S3/AnomalousBehavior ### An IAM entity invoked an S3 API in a suspicious way. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an IAM entity is making API calls that involve an S3 bucket and this activity differs from that entity's established baseline. The API call used in this activity is associated with the exfiltration stage of an attack, wherein an attacker attempts to collect data. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location. This API was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see [Finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Exfiltration:S3/MaliciousIPCaller ### An S3 API commonly used to collect data from an AWS environment was invoked from a known malicious IP address. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an S3 API operation was invoked from an IP address that is associated with known malicious activity. The observed API is commonly associated with exfiltration tactics where an adversary is trying to collect data from your network. Examples include `GetObject` and `CopyObject`. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Impact:S3/AnomalousBehavior.Delete ### An IAM entity invoked an S3 API that attempts to delete data in a suspicious way. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an IAM entity in your AWS environment is making API calls that involve an S3 bucket, and this behavior differs from that entity's established baseline. The API call used in this activity is associated with an attack that attempts to delete data. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location. This API was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see [Finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). We recommend an audit of your S3 bucket's contents to determine if you the previous object version can or should be restored. ## Impact:S3/AnomalousBehavior.Permission ### An API commonly used to set the access control list (ACL) permissions was invoked in an anomalous way. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an IAM entity in your AWS environment has updated a bucket policy or ACL on the listed S3 buckets. This change may publicly expose your S3 buckets to all the authenticated AWS users. This API was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see [Finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). We recommend an audit of your S3 bucket's contents to ensure that no objects were unexpectedly allowed to be accessed publicly. ## Impact:S3/AnomalousBehavior.Write ### An IAM entity invoked an S3 API that attempts to write data in a suspicious way. **Default severity: Medium** + **Data source: **CloudTrail data events for S3 This finding informs you that an IAM entity in your AWS environment is making API calls that involve an S3 bucket, and this behavior differs from that entity's established baseline. The API call used in this activity is associated with an attack that attempts to write data. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location. This API was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see [Finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). We recommend an audit of your S3 bucket's contents to ensure that this API call didn't write malicious or unauthorized data. ## Impact:S3/MaliciousIPCaller ### An S3 API commonly used to tamper with data or processes in an AWS environment was invoked from a known malicious IP address. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an S3 API operation was invoked from an IP address that is associated with known malicious activity. The observed API is commonly associated with impact tactics where an adversary is trying manipulate, interrupt, or destroy data within your AWS environment. Examples include `PutObject` and `PutObjectAcl`. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## PenTest:S3/KaliLinux ### An S3 API was invoked from a Kali Linux machine. **Default severity: Medium** + **Data source: **CloudTrail data events for S3 This finding informs you that a machine running Kali Linux is making S3 API calls using credentials that belong to your AWS account. Your credentials might be compromised. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## PenTest:S3/ParrotLinux ### An S3 API was invoked from a Parrot Security Linux machine. **Default severity: Medium** + **Data source: **CloudTrail data events for S3 This finding informs you that a machine running Parrot Security Linux is making S3 API calls using credentials that belong to your AWS account. Your credentials might be compromised. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## PenTest:S3/PentooLinux ### An S3 API was invoked from a Pentoo Linux machine. **Default severity: Medium** + **Data source: **CloudTrail data events for S3 This finding informs you that a machine running Pentoo Linux is making S3 API calls using credentials that belong to your AWS account. Your credentials might be compromised. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Policy:S3/AccountBlockPublicAccessDisabled ### An IAM entity invoked an API used to disable S3 Block Public Access on an account. **Default severity: Low** + **Data source: **CloudTrail management events This finding informs you that Amazon S3 Block Public Access was disabled at the account level. When S3 Block Public Access settings are enabled, they are used to filter the policies or access control lists (ACLs) on buckets as a security measure to prevent inadvertent public exposure of data. Typically, S3 Block Public Access is turned off in an account to allow public access to a bucket or to the objects in the bucket. When S3 Block Public Access is disabled for an account, access to your buckets is controlled by the policies, ACLs, or bucket-level Block Public Access settings applied to your individual buckets. This does not necessarily mean that the buckets are shared publicly, but that you should audit the permissions applied to the buckets to confirm that they provide the appropriate level of access. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Policy:S3/BucketAnonymousAccessGranted ### An IAM principal has granted access to an S3 bucket to the internet by changing bucket policies or ACLs. **Default severity: High** + **Data source: **CloudTrail management events This finding informs you that the listed S3 bucket has been made publicly accessible on the internet because an IAM entity has changed a bucket policy or ACL on that bucket. After a policy or ACL change is detected, GuardDuty uses automated reasoning powered by [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/), to determine if the bucket is publicly accessible. **Note** If a bucket's ACLs or bucket policies are configured to explicitly deny or to deny all, this finding may not reflect the current state of the bucket. This finding will not reflect any [S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) settings that may have been enabled for your S3 bucket. In such cases, the `effectivePermission` value in the finding will be marked as `UNKNOWN`. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Policy:S3/BucketBlockPublicAccessDisabled ### An IAM entity invoked an API used to disable S3 Block Public Access on a bucket. **Default severity: Low** + **Data source: **CloudTrail management events This finding informs you that Block Public Access was disabled for the listed S3 bucket. When enabled, S3 Block Public Access settings are used to filter the policies or access control lists (ACLs) applied to buckets as a security measure to prevent inadvertent public exposure of data. Typically, S3 Block Public Access is turned off on a bucket to allow public access to the bucket or to the objects within. When S3 Block Public Access is disabled for a bucket, access to the bucket is controlled by the policies or ACLs applied to it. This does not mean that the bucket is shared publicly, but you should audit the policies and ACLs applied to the bucket to confirm that appropriate permissions are applied. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Policy:S3/BucketPublicAccessGranted ### An IAM principal has granted public access to an S3 bucket to all AWS users by changing bucket policies or ACLs. **Default severity: High** + **Data source: **CloudTrail management events This finding informs you that the listed S3 bucket has been publicly exposed to all authenticated AWS users because an IAM entity has changed a bucket policy or ACL on that S3 bucket. After a policy or ACL change is detected, GuardDuty uses automated reasoning powered by [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/), to determine if the bucket is publicly accessible. **Note** If a bucket's ACLs or bucket policies are configured to explicitly deny or to deny all, this finding may not reflect the current state of the bucket. This finding will not reflect any [S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) settings that may have been enabled for your S3 bucket. In such cases, the `effectivePermission` value in the finding will be marked as `UNKNOWN`. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Stealth:S3/ServerAccessLoggingDisabled ### S3 server access logging was disabled for a bucket. **Default severity: Low** + **Data source: **CloudTrail management events This finding informs you that S3 server access logging is disabled for a bucket within your AWS environment. If disabled, no web request logs are created for any attempts to access the identified S3 bucket, however, S3 management API calls to the bucket, such as [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html), are still tracked. If S3 data event logging is enabled through CloudTrail for this bucket, web requests for objects within the bucket will still be tracked. Disabling logging is a technique used by unauthorized users in order to evade detection. To learn more about S3 logs, see [ S3 Server Access Logging](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html) and [S3 Logging Options ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html). **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## UnauthorizedAccess:S3/MaliciousIPCaller.Custom ### An S3 API was invoked from an IP address on a custom threat list. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an S3 API operation, for example, `PutObject` or `PutObjectAcl`, was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the **Additional information** section of a finding's details. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## UnauthorizedAccess:S3/TorIPCaller ### An S3 API was invoked from a Tor exit node IP address. **Default severity: High** + **Data source: **CloudTrail data events for S3 This finding informs you that an S3 API operation, such as `PutObject` or `PutObjectAcl`, was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This finding can indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). # EKS Protection finding types EKS Protection finding types The following findings are specific to Amazon EKS resources and have a **resource\$1type** of `EKSCluster`. The severity and details of the findings differ based on finding type. For all EKS audit logs type findings we recommend that you examine the resource in question to determine if the activity is expected or potentially malicious. For guidance on remediating a compromised EKS audit logs resource identified by a GuardDuty finding, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). **Note** If the activity because of which these findings get generated is expected, consider adding [Suppression rules in GuardDuty](findings_suppression-rule.md) to prevent future alerts. **Topics** + [ ## CredentialAccess:Kubernetes/MaliciousIPCaller ](#credentialaccess-kubernetes-maliciousipcaller) + [ ## CredentialAccess:Kubernetes/MaliciousIPCaller.Custom ](#credentialaccess-kubernetes-maliciousipcallercustom) + [ ## CredentialAccess:Kubernetes/SuccessfulAnonymousAccess ](#credentialaccess-kubernetes-successfulanonymousaccess) + [ ## CredentialAccess:Kubernetes/TorIPCaller ](#credentialaccess-kubernetes-toripcaller) + [ ## DefenseEvasion:Kubernetes/MaliciousIPCaller ](#defenseevasion-kubernetes-maliciousipcaller) + [ ## DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom ](#defenseevasion-kubernetes-maliciousipcallercustom) + [ ## DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess ](#defenseevasion-kubernetes-successfulanonymousaccess) + [ ## DefenseEvasion:Kubernetes/TorIPCaller ](#defenseevasion-kubernetes-toripcaller) + [ ## Discovery:Kubernetes/MaliciousIPCaller ](#discovery-kubernetes-maliciousipcaller) + [ ## Discovery:Kubernetes/MaliciousIPCaller.Custom ](#discovery-kubernetes-maliciousipcallercustom) + [ ## Discovery:Kubernetes/SuccessfulAnonymousAccess ](#discovery-kubernetes-successfulanonymousaccess) + [ ## Discovery:Kubernetes/TorIPCaller ](#discovery-kubernetes-toripcaller) + [ ## Execution:Kubernetes/ExecInKubeSystemPod ](#execution-kubernetes-execinkubesystempod) + [ ## Impact:Kubernetes/MaliciousIPCaller ](#impact-kubernetes-maliciousipcaller) + [ ## Impact:Kubernetes/MaliciousIPCaller.Custom ](#impact-kubernetes-maliciousipcallercustom) + [ ## Impact:Kubernetes/SuccessfulAnonymousAccess ](#impact-kubernetes-successfulanonymousaccess) + [ ## Impact:Kubernetes/TorIPCaller ](#impact-kubernetes-toripcaller) + [ ## Persistence:Kubernetes/ContainerWithSensitiveMount ](#persistence-kubernetes-containerwithsensitivemount) + [ ## Persistence:Kubernetes/MaliciousIPCaller ](#persistence-kubernetes-maliciousipcaller) + [ ## Persistence:Kubernetes/MaliciousIPCaller.Custom ](#persistence-kubernetes-maliciousipcallercustom) + [ ## Persistence:Kubernetes/SuccessfulAnonymousAccess ](#persistence-kubernetes-successfulanonymousaccess) + [ ## Persistence:Kubernetes/TorIPCaller ](#persistence-kubernetes-toripcaller) + [ ## Policy:Kubernetes/AdminAccessToDefaultServiceAccount ](#policy-kubernetes-adminaccesstodefaultserviceaccount) + [ ## Policy:Kubernetes/AnonymousAccessGranted ](#policy-kubernetes-anonymousaccessgranted) + [ ## Policy:Kubernetes/ExposedDashboard ](#policy-kubernetes-exposeddashboard) + [ ## Policy:Kubernetes/KubeflowDashboardExposed ](#policy-kubernetes-kubeflowdashboardexposed) + [ ## PrivilegeEscalation:Kubernetes/PrivilegedContainer ](#privilegeescalation-kubernetes-privilegedcontainer) + [ ## CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed ](#credaccess-kubernetes-anomalousbehavior-secretsaccessed) + [ ## PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated ](#privesc-kubernetes-anomalousbehavior-rolebindingcreated) + [ ## Execution:Kubernetes/AnomalousBehavior.ExecInPod ](#execution-kubernetes-anomalousbehvaior-execinprod) + [ ## PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1PrivilegedContainer ](#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer) + [ ## Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1ContainerWithSensitiveMount ](#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount) + [ ## Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed ](#exec-kubernetes-anomalousbehavior-workloaddeployed) + [ ## PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated ](#privesc-kubernetes-anomalousbehavior-rolecreated) + [ ## Discovery:Kubernetes/AnomalousBehavior.PermissionChecked ](#discovery-kubernetes-anomalousbehavrior-permissionchecked) **Note** Before Kubernetes version 1.14, the `system:unauthenticated` group was associated to `system:discovery` and `system:basic-user` **ClusterRoles** by default. This association may allow unintended access from anonymous users. Cluster updates do not revoke these permissions. Even if you updated your cluster to version 1.14 or higher, these permissions may still be enabled. We recommend that you disassociate these permissions from the `system:unauthenticated` group. For guidance on revoking these permissions, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. ## CredentialAccess:Kubernetes/MaliciousIPCaller ### An API commonly used to access credentials or secrets in a Kubernetes cluster was invoked from a known malicious IP address. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is associated with known malicious activity. The API observed is commonly associated with the credential access tactics where an adversary is attempting to collect passwords, usernames, and access keys for your Kubernetes cluster. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## CredentialAccess:Kubernetes/MaliciousIPCaller.Custom ### An API commonly used to access credentials or secrets in a Kubernetes cluster was invoked from an IP address on a custom threat list. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the **Additional Information** section of a finding's details. The API observed is commonly associated with the credential access tactics where an adversary is attempting to collect passwords, usernames, and access keys for your Kubernetes cluster. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## CredentialAccess:Kubernetes/SuccessfulAnonymousAccess ### An API commonly used to access credentials or secrets in a Kubernetes cluster was invoked by an unauthenticated user. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was successfully invoked by the `system:anonymous` user. API calls made by `system:anonymous` are unauthenticated. The observed API is commonly associated with the credential access tactics where an adversary is attempting to collect passwords, usernames, and access keys for your Kubernetes cluster. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised. **Remediation recommendations:** You should examine the permissions that have been granted to the `system:anonymous` user on your cluster and ensure that all the permissions are needed. If the permissions were granted mistakenly or maliciously, you should revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## CredentialAccess:Kubernetes/TorIPCaller ### An API commonly used to access credentials or secrets in a Kubernetes cluster was invoked from a Tor exit node IP address. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API was invoked from a Tor exit node IP address. The API observed is commonly associated with the credential access tactics where an adversary is attempting to collect passwords, usernames, and access keys for your Kubernetes cluster. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your Kubernetes cluster resources with the intent of hiding the attacker's true identity. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## DefenseEvasion:Kubernetes/MaliciousIPCaller ### An API commonly used to evade defensive measures was invoked from a known malicious IP address. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is associated with known malicious activity. The API observed is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom ### An API commonly used to evade defensive measures was invoked from an IP address on a custom threat list. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the **Additional Information** section of a finding's details. The API observed is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess ### An API commonly used to evade defensive measures was invoked by an unauthenticated user. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was successfully invoked by the `system:anonymous` user. API calls made by `system:anonymous` are unauthenticated. The observed API is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised. **Remediation recommendations:** You should examine the permissions that have been granted to the `system:anonymous` user on your cluster and ensure that all the permissions are needed. If the permissions were granted mistakenly or maliciously, you should revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## DefenseEvasion:Kubernetes/TorIPCaller ### An API commonly used to evade defensive measures was invoked from a Tor exit node IP address. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API was invoked from a Tor exit node IP address. The API observed is commonly associated with defense evasion tactics where an adversary is trying to hide their actions to avoid detection. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your Kubernetes cluster with the intent of hiding the adversary's true identity. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Discovery:Kubernetes/MaliciousIPCaller ### An API commonly used to discover resources in a Kubernetes cluster was invoked from an IP address. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is associated with known malicious activity. The observed API is commonly used with the discovery stage of an attack wherein an attacker is gathering information to determine if your Kubernetes cluster is susceptible to a broader attack. **For unauthenticated access** MaliciousIPCaller findings are not generated for unauthenticated access. SuccessfulAnonymousAccess findings are generated for unauthenticated or anonymous access. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Discovery:Kubernetes/MaliciousIPCaller.Custom ### An API commonly used to discover resources in a Kubernetes cluster was invoked from an IP address on a custom threat list. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an API was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the **Additional Information** section of a finding's details. The observed API is commonly used with the discovery stage of an attack wherein an attacker is gathering information to determine if your Kubernetes cluster is susceptible to a broader attack. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Discovery:Kubernetes/SuccessfulAnonymousAccess ### An API commonly used to discover resources in a Kubernetes cluster was invoked by an unauthenticated user. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an API operation was successfully invoked by the `system:anonymous` user. API calls made by `system:anonymous` are unauthenticated. The observed API is commonly associated with the discovery stage of an attack when an adversary is gathering information on your Kubernetes cluster. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised. This finding type excludes the health check API endpoints such as `/healthz`, `/livez`, `/readyz`, and `/version`. **Remediation recommendations:** You should examine the permissions that have been granted to the `system:anonymous` user on your cluster and ensure that all the permissions are needed. If the permissions were granted mistakenly or maliciously, you should revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Discovery:Kubernetes/TorIPCaller ### An API commonly used to discover resources in a Kubernetes cluster was invoked from a Tor exit node IP address. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an API was invoked from a Tor exit node IP address. The observed API is commonly used with the discovery stage of an attack wherein an attacker is gathering information to determine if your Kubernetes cluster is susceptible to a broader attack. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your Kubernetes cluster with the intent of hiding the adversary's true identity. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the APIand revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Execution:Kubernetes/ExecInKubeSystemPod ### A command was executed inside a pod within the `kube-system` namespace **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that a command was executed in a pod within the `kube-system` namespace using **Kubernetes exec API**. `kube-system` namespace is a default namespaces, which is primarily used for system level components such as `kube-dns` and `kube-proxy`. It is very uncommon to execute commands inside pods or containers under `kube-system` namespace and may indicate suspicious activity. **Remediation recommendations:** If the execution of this command is unexpected, the credentials of the user identity used to execute the command may be compromised. Revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Impact:Kubernetes/MaliciousIPCaller ### An API commonly used to tamper with resources in a Kubernetes cluster was invoked from a known malicious IP address. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is associated with known malicious activity. The observed API is commonly associated with impact tactics where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Impact:Kubernetes/MaliciousIPCaller.Custom ### An API commonly used to tamper with resources in a Kubernetes cluster was invoked from an IP address on a custom threat list. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the **Additional Information** section of a finding's details. The observed API is commonly associated with impact tactics where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Impact:Kubernetes/SuccessfulAnonymousAccess ### An API commonly used to tamper with resources in a Kubernetes cluster was invoked by an unauthenticated user. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was successfully invoked by the `system:anonymous` user. API calls made by `system:anonymous` are unauthenticated. The observed API is commonly associated with the impact stage of an attack when an adversary is tampering with resources in your cluster. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised. **Remediation recommendations:** You should examine the permissions that have been granted to the `system:anonymous` user on your cluster and ensure that all the permissions are needed. If the permissions were granted mistakenly or maliciously, you should revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Impact:Kubernetes/TorIPCaller ### An API commonly used to tamper with resources in a Kubernetes cluster was invoked from a Tor exit node IP address. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API was invoked from a Tor exit node IP address. The API observed is commonly associated with impact tactics where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your Kubernetes cluster with the intent of hiding the adversary's true identity. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Persistence:Kubernetes/ContainerWithSensitiveMount ### A container was launched with a sensitive external host path mounted inside. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that a container was launched with a configuration that included a sensitive host path with write access in the `volumeMounts` section. This makes the sensitive host path accessible and writable from inside the container. This technique is commonly used by adversaries to gain access to the host's filesystem. **Remediation recommendations:** If this container launch is unexpected, the credentials of the user identity used to launch the container may be compromised. Revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If this container launch is expected, it's recommended that you use a suppression rule consisting of a filter criteria based on the `resource.KubernetesDetails.KubernetesWorkloadDetails.containers.imagePrefix` field. In the filter criteria the `imagePrefix` field should be same as the `imagePrefix` specified in the finding. To learn more about creating suppression rules see [Suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule). ## Persistence:Kubernetes/MaliciousIPCaller ### An API commonly used to obtain persistent access to a Kubernetes cluster was invoked from a known malicious IP address. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is associated with known malicious activity. The API observed is commonly associated with persistence tactics where an adversary has gained access to your Kubernetes cluster and is attempting to maintain that access. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Persistence:Kubernetes/MaliciousIPCaller.Custom ### An API commonly used to obtain persistent access to a Kubernetes cluster was invoked from an IP address on a custom threat list. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an API operation was invoked from an IP address that is included on a threat list that you uploaded. The threat list associated with this finding is listed in the **Additional Information** section of a finding's details. The API observed is commonly associated with persistence tactics where an adversary has gained access to your Kubernetes cluster and is attempting to maintain that access. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Persistence:Kubernetes/SuccessfulAnonymousAccess ### An API commonly used to obtain high-level permissions to a Kubernetes cluster was invoked by an unauthenticated user. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that an API operation was successfully invoked by the `system:anonymous` user. API calls made by `system:anonymous` are unauthenticated. The observed API is commonly associated with the persistence tactics where an adversary has gained access to your cluster and is attempting to maintain that access. This activity indicates that anonymous or unauthenticated access is permitted on the API action reported in the finding and may be permitted on other actions. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised. **Remediation recommendations:** You should examine the permissions that have been granted to the `system:anonymous` user on your cluster and ensure that all the permissions are needed. If the permissions were granted mistakenly or maliciously, you should revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Persistence:Kubernetes/TorIPCaller ### An API commonly used to obtain persistent access to a Kubernetes cluster was invoked from a Tor exit node IP address. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an API was invoked from a Tor exit node IP address. The API observed is commonly associated with persistence tactics where an adversary has gained access to your Kubernetes cluster and is attempting to maintain that access. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. **Remediation recommendations:** If the user reported in the finding under the `KubernetesUserDetails` section is `system:anonymous`, investigate why the anonymous user was permitted to invoke the API and revoke the permissions, if needed, by following the instructions in [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the user is an authenticated user, investigate to determine if the activity was legitimate or malicious. If the activity was malicious revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Policy:Kubernetes/AdminAccessToDefaultServiceAccount ### The default service account was granted admin privileges on a Kubernetes cluster. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that the default service account for a namespace in your Kubernetes cluster was granted admin privileges. Kubernetes creates a default service account for all the namespaces in the cluster. It automatically assigns the default service account as an identity to pods that have not been explicitly associated to another service account. If the default service account has admin privileges, it may result in pods being unintentionally launched with admin privileges. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised. **Remediation recommendations:** You should not use the default service account to grant permissions to pods. Instead you should create a dedicated service account for each workload and grant permission to that account on a needs basis. To fix this issue, you should create dedicated service accounts for all your pods and workloads and update the pods and workloads to migrate from the default service account to their dedicated accounts. Then you should remove the admin permission from the default service account. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Policy:Kubernetes/AnonymousAccessGranted ### The `system:anonymous` user was granted API permission on a Kubernetes cluster. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that a user on your Kubernetes cluster successfully created a `ClusterRoleBinding` or `RoleBinding` to bind the user `system:anonymous` to a role. This enables unauthenticated access to the API operations permitted by the role. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised **Remediation recommendations:** You should examine the permissions that have been granted to the `system:anonymous` user or `system:unauthenticated` group on your cluster and revoke unnecessary anonymous access. For more information, see [Security best practices for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) in the *Amazon EKS User Guide*. If the permissions were granted maliciously, you should revoke access of the user that granted the permissions and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Policy:Kubernetes/ExposedDashboard ### The dashboard for a Kubernetes cluster was exposed to the internet **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that Kubernetes dashboard for your cluster was exposed to the internet by a Load Balancer service. An exposed dashboard makes the management interface of your cluster accessible from the internet and allows adversaries to exploit any authentication and access control gaps that may be present. **Remediation recommendations:** You should ensure that strong authentication and authorization is enforced on Kubernetes Dashboard. You should also implement network access control to restrict access to the dashboard from specific IP addresses. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Policy:Kubernetes/KubeflowDashboardExposed ### The **Kubeflow** dashboard for a Kubernetes cluster was exposed to the Internet **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that **Kubeflow** dashboard for your cluster was exposed to the Internet by a Load Balancer service. An exposed **Kubeflow** dashboard makes the management interface of your **Kubeflow** environment accessible from the Internet and allows adversaries to exploit any authentication and access control gaps that may be present. **Remediation recommendations:** You should ensure that strong authentication and authorization is enforced on **Kubeflow** Dashboard. You should also implement network access control to restrict access to the dashboard from specific IP addresses. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## PrivilegeEscalation:Kubernetes/PrivilegedContainer ### A privileged container with root level access was launched on your Kubernetes cluster. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that a privileged container was launched on your Kubernetes cluster using an image has never before been used to launch privileged containers in your cluster. A privileged container has root level access to the host. Adversaries can launch privileged containers as a privilege escalation tactic to gain access to and then compromise the host. **Remediation recommendations:** If this container launch is unexpected, the credentials of the user identity used to launch the container may be compromised. Revoke access of the user and reverse any changes made by an adversary to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed ### A Kubernetes API commonly used to access secrets was invoked in an anomalous way. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that an anomalous API operation to retrieve sensitive cluster secrets was invoked by a Kubernetes user in your cluster. The observed API is commonly associated with credential access tactics that can lead to privileged escalation and further access within your cluster. If this behavior is not expected, it may indicate either a configuration mistake or that your AWS credentials are compromised. The observed API was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API activity within your EKS cluster and identifies anomalous events that are associated with techniques used by unauthorized users. The ML model tracks multiple factors of the API operation such as the user making the request, the location the request was made from, user agent used, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** Examine the permissions granted to the Kubernetes user in your cluster and ensure that all these permissions are needed. If the permissions were granted mistakenly or maliciously, revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated ### A RoleBinding or ClusterRoleBinding to an overly permissive role or sensitive namespace was created or modified in your Kubernetes cluster. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if a RoleBinding or ClusterRoleBinding involves the ClusterRoles `admin` or `cluster-admin`, the severity is High. + **Feature: **EKS audit logs This finding informs you that a user in your Kubernetes cluster created a `RoleBinding` or `ClusterRoleBinding` to bind a user to a role with admin permissions or sensitive namespaces. If this behavior is not expected, it may indicate either a configuration mistake or that your AWS credentials are compromised. The observed API was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API activity within your EKS cluster. This ML model also identifies anomalous events that are associated with the techniques used by an unauthorized user. The ML model also tracks multiple factors of the API operation, such as the user making the request, the location the request was made from, the user agent used, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** Examine the permissions granted to the Kubernetes user. These permissions are defined in the role and subjects involved in `RoleBinding` and `ClusterRoleBinding`. If the permissions were granted mistakenly or maliciously, revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Execution:Kubernetes/AnomalousBehavior.ExecInPod ### A command was executed inside a pod in an anomalous way. **Default severity: Medium** + **Feature: **EKS audit logs This finding informs you that a command was executed in a pod using the Kubernetes exec API. The Kubernetes exec API allows running arbitrary commands in a pod. If this behavior is not expected for the user, namespace, or pod, it may indicate either a configuration mistake or that your AWS credentials are compromised. The observed API was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API activity within your EKS cluster. This ML model also identifies anomalous events that are associated with the techniques used by an unauthorized user. The ML model also tracks multiple factors of the API operation, such as the user making the request, the location the request was made from, the user agent used, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** If the execution of this command is unexpected, the credentials of the user identity used to execute the command may have been compromised. Revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1PrivilegedContainer ### A workload was launched with a privileged container in an anomalous way. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that a workload was launched with a privileged container in your Amazon EKS cluster. A privileged container has root level access to the host. Unauthorized users can launch privileged containers as a privilege escalation tactic to first gain access to the host and then compromise it. The observed container creation or modification was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API and container image activity within your EKS cluster. This ML model also identifies anomalous events that are associated with the techniques used by an unauthorized user. The ML model also tracks multiple factors of the API operation, such as the user making the request, the location the request was made from, the user agent used, container images observed in your account, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** If this container launch is unexpected, the credentials of the user identity used to launch the container may have been compromised. Revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). If this container launch is expected, it is recommended that you use a suppression rule with a filter criteria based on the `resource.KubernetesDetails.KubernetesWorkloadDetails.containers.imagePrefix` field. In the filter criteria, the `imagePrefix` field must have the same value as the `imagePrefix` field specified in the finding. For more information, see [Suppression rules in GuardDuty](findings_suppression-rule.md). ## Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1ContainerWithSensitiveMount ### A workload was deployed in an anomalous way, with a sensitive host path mounted inside the workload. **Default severity: High** + **Feature: **EKS audit logs This finding informs you that a workload was launched with a container that included a sensitive host path in the `volumeMounts` section. This potentially makes the sensitive host path accessible and writable from inside the container. This technique is commonly used by unauthorized users to gain access to the host's file system. The observed container creation or modification was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API and container image activity within your EKS cluster. This ML model also identifies anomalous events that are associated with the techniques used by an unauthorized user. The ML model also tracks multiple factors of the API operation, such as the user making the request, the location the request was made from, the user agent used, container images observed in your account, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** If this container launch is unexpected, the credentials of the user identity used to launch the container may have been compromised. Revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). If this container launch is expected, it is recommended that you use a suppression rule with a filter criteria based on the `resource.KubernetesDetails.KubernetesWorkloadDetails.containers.imagePrefix` field. In the filter criteria, the `imagePrefix` field must have the same value as the `imagePrefix` field specified in the finding. For more information, see [Suppression rules in GuardDuty](findings_suppression-rule.md). ## Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed ### A workload was launched in an anomalous way. **Default severity: Low\$1** **Note** The default severity is Low. However, if the workload contains a potentially suspicious image name, such as a known pentest tool, or a container running a potentially suspicious command at launch, such as reverse shell commands, then the severity of this finding type will be considered as Medium. + **Feature: **EKS audit logs This finding informs you that a Kubernetes workload was created or modified in an anomalous way, such as an API activity, new container images, or risky workload configuration, within your Amazon EKS cluster. Unauthorized users can launch containers as a tactic to execute arbitrary code to first gain access to the host and then compromise it. The observed container creation or modification was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API and container image activity within your EKS cluster. This ML model also identifies anomalous events that are associated with the techniques used by an unauthorized user. The ML model also tracks multiple factors of the API operation, such as the user making the request, the location the request was made from, the user agent used, container images observed in your account, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** If this container launch is unexpected, the credentials of the user identity used to launch the container may have been compromised. Revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). If this container launch is expected, it is recommended that you use a suppression rule with a filter criteria based on the `resource.KubernetesDetails.KubernetesWorkloadDetails.containers.imagePrefix` field. In the filter criteria, the `imagePrefix` field must have the same value as the `imagePrefix` field specified in the finding. For more information, see [Suppression rules in GuardDuty](findings_suppression-rule.md). ## PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated ### A highly permissive Role or ClusterRole was created or modified in an anomalous way. **Default severity: Low** + **Feature: **EKS audit logs This finding informs you that an anomalous API operation to create a `Role` or `ClusterRole` with excessive permissions was called by a Kubernetes user in your Amazon EKS cluster. Actors can use role creation with powerful permissions to avoid using built-in admin-like roles and avoid detection. The excessive permissions can lead to privileged escalation, remote code execution, and potentially control over a namespace or cluster. If this behavior is not expected, it may indicate either a configuration mistake or that your credentials are compromised. The observed API was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API activity within your Amazon EKS cluster and identifies anomalous events that are associated with the techniques used by unauthorized users. The ML model also tracks multiple factors of the API operation, such as the user making the request, the location the request was made from, the user agent used, container images observed in your account, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** Examine the permissions defined in `Role` or `ClusterRole` to ensure that all the permissions are needed and follow least privilege principles. If the permissions were granted mistakenly or maliciously, revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Discovery:Kubernetes/AnomalousBehavior.PermissionChecked ### A user checked their access permission in an anomalous way. **Default severity: Low** + **Feature: **EKS audit logs This finding informs you that a user in your Kubernetes cluster successfully checked whether or not the known powerful permissions that can lead to privileged escalation and remote code execution, are allowed. For example, a common command used to check permissions for a user is `kubectl auth can-i`. If this behavior is not expected, it may indicate either a configuration mistake or that your credentials have been compromised. The observed API was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all user API activity within your Amazon EKS cluster and identifies anomalous events that are associated with the techniques used by unauthorized users. The ML model also tracks multiple factors of the API operation, such as the user making the request, the location the request was made from, permission being checked, and the namespace that the user operated. You can find the details of the API request that are unusual, in the finding details panel in the GuardDuty console. **Remediation recommendations:** Examine the permissions granted to the Kubernetes user to ensure that all the permissions are needed. If the permissions were granted mistakenly or maliciously, revoke user access and reverse any changes made by an unauthorized user to your cluster. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). If your AWS credentials are compromised, see [Remediating potentially compromised AWS credentials](compromised-creds.md). # GuardDuty Runtime Monitoring finding types Runtime Monitoring finding types Amazon GuardDuty generates the following Runtime Monitoring findings to indicate potential threats based on the operating system-level behavior from Amazon EC2 hosts and containers in your Amazon EKS clusters, Fargate and Amazon ECS workloads, and Amazon EC2 instances. **Note** Runtime Monitoring finding types are based on the runtime logs collected from hosts. The logs contain fields such as file paths that may be controlled by a malicious actor. These fields are also included in GuardDuty findings to provide runtime context. When processing Runtime Monitoring findings outside of GuardDuty console, you must sanitize finding fields. For example, you can HTML encode finding fields when displaying them on a webpage. **Topics** + [ ## CryptoCurrency:Runtime/BitcoinTool.B ](#cryptocurrency-runtime-bitcointoolb) + [ ## Backdoor:Runtime/C&CActivity.B ](#backdoor-runtime-ccactivityb) + [ ## UnauthorizedAccess:Runtime/TorRelay ](#unauthorizedaccess-runtime-torrelay) + [ ## UnauthorizedAccess:Runtime/TorClient ](#unauthorizedaccess-runtime-torclient) + [ ## Trojan:Runtime/BlackholeTraffic ](#trojan-runtime-blackholetraffic) + [ ## Trojan:Runtime/DropPoint ](#trojan-runtime-droppoint) + [ ## CryptoCurrency:Runtime/BitcoinTool.B\$1DNS ](#cryptocurrency-runtime-bitcointoolbdns) + [ ## Backdoor:Runtime/C&CActivity.B\$1DNS ](#backdoor-runtime-ccactivitybdns) + [ ## Trojan:Runtime/BlackholeTraffic\$1DNS ](#trojan-runtime-blackholetrafficdns) + [ ## Trojan:Runtime/DropPoint\$1DNS ](#trojan-runtime-droppointdns) + [ ## Trojan:Runtime/DGADomainRequest.C\$1DNS ](#trojan-runtime-dgadomainrequestcdns) + [ ## Trojan:Runtime/DriveBySourceTraffic\$1DNS ](#trojan-runtime-drivebysourcetrafficdns) + [ ## Trojan:Runtime/PhishingDomainRequest\$1DNS ](#trojan-runtime-phishingdomainrequestdns) + [ ## Impact:Runtime/AbusedDomainRequest.Reputation ](#impact-runtime-abuseddomainrequestreputation) + [ ## Impact:Runtime/BitcoinDomainRequest.Reputation ](#impact-runtime-bitcoindomainrequestreputation) + [ ## Impact:Runtime/MaliciousDomainRequest.Reputation ](#impact-runtime-maliciousdomainrequestreputation) + [ ## Impact:Runtime/SuspiciousDomainRequest.Reputation ](#impact-runtime-suspiciousdomainrequestreputation) + [ ## UnauthorizedAccess:Runtime/MetadataDNSRebind ](#unauthorizedaccess-runtime-metadatadnsrebind) + [ ## Execution:Runtime/NewBinaryExecuted ](#execution-runtime-newbinaryexecuted) + [ ## PrivilegeEscalation:Runtime/DockerSocketAccessed ](#privilegeesc-runtime-dockersocketaccessed) + [ ## PrivilegeEscalation:Runtime/RuncContainerEscape ](#privilegeesc-runtime-runccontainerescape) + [ ## PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified ](#privilegeesc-runtime-cgroupsreleaseagentmodified) + [ ## DefenseEvasion:Runtime/ProcessInjection.Proc ](#defenseeva-runtime-processinjectionproc) + [ ## DefenseEvasion:Runtime/ProcessInjection.Ptrace ](#defenseeva-runtime-processinjectionptrace) + [ ## DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite ](#defenseeva-runtime-processinjectionvirtualmemw) + [ ## Execution:Runtime/ReverseShell ](#execution-runtime-reverseshell) + [ ## DefenseEvasion:Runtime/FilelessExecution ](#defenseeva-runtime-filelessexecution) + [ ## Impact:Runtime/CryptoMinerExecuted ](#impact-runtime-cryptominerexecuted) + [ ## Execution:Runtime/NewLibraryLoaded ](#execution-runtime-newlibraryloaded) + [ ## PrivilegeEscalation:Runtime/ContainerMountsHostDirectory ](#privilegeescalation-runtime-containermountshostdirectory) + [ ## PrivilegeEscalation:Runtime/UserfaultfdUsage ](#privilegeescalation-runtime-userfaultfdusage) + [ ## Execution:Runtime/SuspiciousTool ](#execution-runtime-suspicioustool) + [ ## Execution:Runtime/SuspiciousCommand ](#execution-runtime-suspiciouscommand) + [ ## DefenseEvasion:Runtime/SuspiciousCommand ](#defenseevasion-runtime-suspicious-command) + [ ## DefenseEvasion:Runtime/PtraceAntiDebugging ](#defenseevasion-runtime-ptrace-anti-debug) + [ ## Execution:Runtime/MaliciousFileExecuted ](#execution-runtime-malicious-file-executed) + [ ## Execution:Runtime/SuspiciousShellCreated ](#execution-runtime-suspicious-shell-created) + [ ## PrivilegeEscalation:Runtime/ElevationToRoot ](#privilegeesc-runtime-elevation-to-root) + [ ## Discovery:Runtime/SuspiciousCommand ](#discovery-runtime-suspicious-command) + [ ## Persistence:Runtime/SuspiciousCommand ](#persistence-runtime-suspicious-command) + [ ## PrivilegeEscalation:Runtime/SuspiciousCommand ](#privilege-escalation-runtime-suspicious-command) + [ ## DefenseEvasion:Runtime/KernelModuleLoaded ](#defenseevasion-runtime-kernelmoduleloaded) ## CryptoCurrency:Runtime/BitcoinTool.B ### An Amazon EC2 instance or a container is querying an IP address that is associated with a cryptocurrency-related activity. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is querying an IP address that is associated with a cryptocurrency-related activity. Threat actors may seek to take control over compute resources to maliciously repurpose them for unauthorized cryptocurrency mining. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If you use this EC2 instance or a container to mine or manage cryptocurrency, or either of these is otherwise involved in blockchain activity, the CryptoCurrency:Runtime/BitcoinTool.B finding could represent expected activity for your environment. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first filter criterion should use the **Finding type** attribute with a value of `CryptoCurrency:Runtime/BitcoinTool.B`. The second filter criterion should be the **Instance ID** of the instance or the **Container Image ID** of the container involved in cryptocurrency or blockchain-related activity. For more information, see [Suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html). If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Backdoor:Runtime/C&CActivity.B ### An Amazon EC2 instance or a container is querying an IP that is associated with a known command and control server. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container within your AWS environment is querying an IP address associated with a known command and control (C&C) server. The listed instance or container might be potentially compromised. Command and control servers are computers that issue commands to members of a botnet. A botnet is a collection of internet-connected devices that might include PCs, servers, mobile devices, and Internet of Things devices, that are infected and controlled by a common type of malware. Botnets are often used to distribute malware and gather misappropriated information, such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to begin a distributed denial of service (DDoS) attack. **Note** If the IP queried is log4j-related, then the fields of the associated finding will include the following values: `service.additionalInfo.threatListName = Amazon` `service.additionalInfo.threatName = Log4j Related` The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## UnauthorizedAccess:Runtime/TorRelay ### Your Amazon EC2 instance or a container is making connections to a Tor network as a Tor relay. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is making connections to a Tor network in a manner that suggests that it's acting as a Tor relay. Tor is software for enabling anonymous communication. Tor increases anonymity of communication by forwarding the client's possibly illicit traffic from one Tor relay to another. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## UnauthorizedAccess:Runtime/TorClient ### Your Amazon EC2 instance or a container is making connections to a Tor Guard or an Authority node. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority nodes act as initial gateways into a Tor network. This traffic can indicate that this EC2 instance or the container has been potentially compromised and is acting as a client on a Tor network. This finding may indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Trojan:Runtime/BlackholeTraffic ### An Amazon EC2 instance or a container is attempting to communicate with an IP address of a remote host that is a known black hole. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment might be compromised because it is trying to communicate with an IP address of a black hole (or sink hole). Black holes are places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn't reach its intended recipient. A black hole IP address specifies a host machine that is not running or an address to which no host has been assigned. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Trojan:Runtime/DropPoint ### An Amazon EC2 instance or a container is attempting to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is trying to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## CryptoCurrency:Runtime/BitcoinTool.B\$1DNS ### An Amazon EC2 instance or a container is querying a domain name that is associated with a cryptocurrency activity. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is querying a domain name that is associated with Bitcoin or other cryptocurrency-related activity. Threat actors may seek to take control over the compute resources in order to maliciously repurpose them for unauthorized cryptocurrency mining. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If you use this EC2 instance or container to mine or manage cryptocurrency, or either of these is otherwise involved in blockchain activity, the CryptoCurrency:Runtime/BitcoinTool.B\$1DNS finding could be an expected activity for your environment. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criterion. The first criteria should use the **Finding type** attribute with a value of `CryptoCurrency:Runtime/BitcoinTool.B!DNS`. The second filter criteria should be the **Instance ID** of the instance or the **Container Image ID** of the container involved in cryptocurrency or blockchain activity. For more information, see [Suppression Rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html). If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Backdoor:Runtime/C&CActivity.B\$1DNS ### An Amazon EC2 instance or a container is querying a domain name that is associated with a known command and control server. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container within your AWS environment is querying a domain name associated with a known command and control (C&C) server. The listed EC2 instance or the container might be compromised. Command and control servers are computers that issue commands to members of a botnet. A botnet is a collection of internet-connected devices which might include PCs, servers, mobile devices, and Internet of Things devices, that are infected and controlled by a common type of malware. Botnets are often used to distribute malware and gather misappropriated information, such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to begin a distributed denial of service (DDoS) attack. **Note** If the domain name queried is log4j-related, then the fields of the associated finding will include the following values: `service.additionalInfo.threatListName = Amazon` `service.additionalInfo.threatName = Log4j Related` **Note** To test how GuardDuty generates this finding type, you can make a DNS request from your instance (using `dig` for Linux or `nslookup` for Windows) against a test domain `guarddutyc2activityb.com`. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Trojan:Runtime/BlackholeTraffic\$1DNS ### An Amazon EC2 instance or a container is querying a domain name that is being redirected to a black hole IP address. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container in your AWS environment might be compromised because it is querying a domain name that is being redirected to a black hole IP address. Black holes are places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn't reach its intended recipient. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Trojan:Runtime/DropPoint\$1DNS ### An Amazon EC2 instance or a container is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Trojan:Runtime/DGADomainRequest.C\$1DNS ### An Amazon EC2 instance or a container is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance or a container. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container in your AWS environment is trying to query domain generation algorithm (DGA) domains. Your resource might have been compromised. DGAs are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control (C&C) servers. Command and control servers are computers that issue commands to members of a botnet, which is a collection of internet-connected devices that are infected and controlled by a common type of malware. The large number of potential rendezvous points makes it difficult to effectively shut down botnets because infected computers attempt to contact some of these domain names every day to receive updates or commands. **Note** This finding is based on known DGA domains from GuardDuty threat intelligence feeds. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Trojan:Runtime/DriveBySourceTraffic\$1DNS ### An Amazon EC2 instance or a container is querying a domain name of a remote host that is a known source of Drive-By download attacks. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container in your AWS environment might be compromised because it is querying a domain name of a remote host that is a known source of drive-by download attacks. These are unintended downloads of computer software from the internet that can initiate an automatic installation of a virus, spyware, or malware. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Trojan:Runtime/PhishingDomainRequest\$1DNS ### An Amazon EC2 instance or a container is querying domains involved in phishing attacks. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is trying to query a domain involved in phishing attacks. Phishing domains are set up by someone posing as a legitimate institution in order to induce individuals to provide sensitive data, such as personally identifiable information, banking and credit card details, and passwords. Your EC2 instance or the container might be trying to retrieve sensitive data stored on a phishing website, or it may be attempting to set up a phishing website. Your EC2 instance or the container might be compromised. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Impact:Runtime/AbusedDomainRequest.Reputation ### An Amazon EC2 instance or a container is querying a low reputation domain name that is associated with known abused domains. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container within your AWS environment is querying a low reputation domain name associated with known abused domains or IP addresses. Examples of abused domains are top level domain names (TLDs) and second-level domain names (2LDs) providing free subdomain registrations as well as dynamic DNS providers. Threat actors tend to use these services to register domains for free or at low costs. Low reputation domains in this category may also be expired domains resolving to a registrar's parking IP address and therefore may no longer be active. A parking IP is where a registrar directs traffic for domains that have not been linked to any service. The listed Amazon EC2 instance or the container may be compromised as threat actors commonly use these registrar's or services for C&C and malware distribution. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Impact:Runtime/BitcoinDomainRequest.Reputation ### An Amazon EC2 instance or a container is querying a low reputation domain name that is associated with cryptocurrency-related activity. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container within your AWS environment is querying a low reputation domain name associated with Bitcoin or other cryptocurrency-related activity. Threat actors may seek to take control over compute resources to maliciously repurpose them for unauthorized cryptocurrency mining. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If you use this EC2 instance or the container to mine or manage cryptocurrency, or if these resources are otherwise involved in blockchain activity, this finding could represent expected activity for your environment. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first filter criterion should use the **Finding type** attribute with a value of `Impact:Runtime/BitcoinDomainRequest.Reputation`. The second filter criterion should be the **Instance ID** of the instance or the **Container Image ID** of the container is involved in cryptocurrency or blockchain–related activity. For more information, see [ Suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html). If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Impact:Runtime/MaliciousDomainRequest.Reputation ### An Amazon EC2 instance or a container is querying a low reputation domain that is associated with known malicious domains. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container within your AWS environment is querying a low reputation domain name associated with known malicious domains or IP addresses. For example, domains may be associated with a known sinkhole IP address. Sinkholed domains are domains that were previously controlled by a threat actor, and requests made to them can indicate the instance is compromised. These domains may also be correlated with known malicious campaigns or domain generation algorithms. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Impact:Runtime/SuspiciousDomainRequest.Reputation ### An Amazon EC2 instance or a container is querying a low reputation domain name that is suspicious in nature due to its age, or low popularity. **Default severity: Low** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or the container within your AWS environment is querying a low reputation domain name that is suspected of being malicious. The observed characteristics of this domain were consistent with previously observed malicious domains. However, our reputation model was unable to definitively relate it to a known threat. These domains are typically newly observed or receive a low amount of traffic. Low reputation domains are based on a reputation score model. This model evaluates and ranks the characteristics of a domain to determine its likelihood of being malicious. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## UnauthorizedAccess:Runtime/MetadataDNSRebind ### An Amazon EC2 instance or a container is performing DNS lookups that resolve to the instance metadata service. **Default severity: High** + **Feature: **Runtime Monitoring **Note** Presently, this finding type is only supported for AMD64 architecture. This finding informs you that a process running on the listed EC2 instance or a container in your AWS environment is querying a domain that resolves to the EC2 metadata IP address (169.254.169.254). A DNS query of this kind may indicate that the instance is a target of a DNS rebinding technique. This technique can be used to obtain metadata from an EC2 instance, including the IAM credentials associated with the instance. DNS rebinding involves tricking an application running on the EC2 instance to load return data from a URL, where the domain name in the URL resolves to the EC2 metadata IP address (`169.254.169.254`). This causes the application to access EC2 metadata and possibly make it available to the attacker. It is possible to access EC2 metadata using DNS rebinding only if the EC2 instance is running a vulnerable application that allows injection of URLs, or if someone accesses the URL in a web browser running on the EC2 instance. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** In response to this finding, you should evaluate if there is a vulnerable application running on the EC2 instance or on the container, or if someone used a browser to access the domain identified in the finding. If the root cause is a vulnerable application, fix the vulnerability. If someone browsed the identified domain, block the domain or prevent users from accessing it. If you determine this finding was related to either case above, [Revoke the session associated with the EC2 instance](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html). Some AWS customers intentionally map the metadata IP address to a domain name on their authoritative DNS servers. If this is the case in your environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first filter criterion should use the **Finding type** attribute with a value of `UnauthorizedAccess:Runtime/MetaDataDNSRebind`. The second filter criterion should be **DNS request domain** or the **Container Image ID** of the container. The **DNS request domain** value should match the domain you have mapped to the metadata IP address (`169.254.169.254`). For information about creating suppression rules, see [Suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html). If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Execution:Runtime/NewBinaryExecuted ### A newly created or recently modified binary file in a container has been executed. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a newly created or a recently modified binary file, in a container was executed. It is the best practice to keep containers immutable at runtime, and binary files, scripts, or libraries should not be created or modified during the lifetime of the container. This behavior indicates that a malicious actor that has gained access to the container, has downloaded, and executed malware or other software as part of the potential compromise. Although this type of activity could be an indication of a compromise, it is also a common usage pattern. Therefore, GuardDuty uses mechanisms to identify suspicious instances of this activity and generates this finding type only for suspicious instances. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. To identify the modifying process and new binary, view the **Modifying process** details and the **Process** details The details of the modifying process are included in the `service.runtimeDetails.context.modifyingProcess` field of the finding JSON, or under **Modifying Process** in the finding details panel. For this finding type, the modifying process is `/usr/bin/dpkg`, as identified by the `service.runtimeDetails.context.modifyingProcess.executablePath` field of the finding JSON, or as a part of **Modifying Process** in the finding details panel. The details of the executed new or modified binary are included in the `service.runtimeDetails.process` of the finding JSON, or the **Process** section under **Runtime details**. For this finding type, the new or modified binary is `/usr/bin/python3.8`, as indicated by `service.runtimeDetails.process.executablePath` (**Executable path**) field. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## PrivilegeEscalation:Runtime/DockerSocketAccessed ### A process inside a container is communicating with Docker daemon using Docker socket. **Default severity: Medium** + **Feature: **Runtime Monitoring The Docker socket is a Unix Domain Socket that Docker daemon (`dockerd`) uses to communicate with its clients. A client can perform various actions, such as creating containers by communicating with Docker daemon through the Docker socket. It is suspicious for a container process to access the Docker socket. A container process can escape the container and get a host-level access by communicating with the Docker socket and creating a privileged container. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## PrivilegeEscalation:Runtime/RuncContainerEscape ### A container escape attempt through runC was detected. **Default severity: High** + **Feature: **Runtime Monitoring RunC is the low-level container runtime that high-level container runtimes, such as Docker and Containerd use to spawn and run containers. RunC is always executed with root privileges because it needs to perform the low-level task of creating a container. A threat actor can gain host-level access by either modifying or exploiting a vulnerability in runC binary. This finding detects modification of runC binary and potential attempts to exploit the following runC vulnerabilities: + [https://nvd.nist.gov/vuln/detail/CVE-2019-5736](https://nvd.nist.gov/vuln/detail/CVE-2019-5736) – Exploitation of CVE-2019-5736 involves overwriting the runC binary from within a container. This finding gets invoked when runC binary is modified by a process inside a container. + [https://nvd.nist.gov/vuln/detail/CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) – Exploitation of CVE-2024-21626 involves setting the current working directory (CWD) or a container to an open file descriptor `/proc/self/fd/FileDescriptor`. This finding gets invoked when a container process with a current working directory under `/proc/self/fd/` is detected, for example, `/proc/self/fd/7`. This finding may indicate that a malicious actor has attempted to perform exploitation in one of the following types of containers: + A new container with an attacker-controlled image. + An existing container that was accessible to the actor with write permissions on the host level runC binary. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified ### A container escape attempt through CGroups release agent was detected. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that an attempt to modify a control group (cgroup) release agent file has been detected. Linux uses control groups (cgroups) to limit, account for, and isolate the resource usage of a collection of processes. Each cgroup has a release agent file (`release_agent`), a script that Linux executes when any process inside the cgroup terminates. The release agent file is always executed at the host level. A threat actor inside a container can escape to the host by writing arbitrary commands to the release agent file that belongs to a cgroup. When a process inside that cgroup terminates, the commands written by the actor get executed. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## DefenseEvasion:Runtime/ProcessInjection.Proc ### A process injection using proc filesystem was detected in a container or an Amazon EC2 instance. **Default severity: High** + **Feature: **Runtime Monitoring Process injection is a technique that threat actors use to inject code into processes to evade defenses and potentially elevate privileges. The proc filesystem (procfs) is a special filesystem in Linux that presents the virtual memory of process as a file. The path of that file is `/proc/PID/mem`, where `PID` is the unique ID of the process. A threat actor can write to this file to inject code into the process. This finding identifies potential attempts to write to this file. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource type might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## DefenseEvasion:Runtime/ProcessInjection.Ptrace ### A process injection using ptrace system call was detected in a container or an Amazon EC2 instance. **Default severity: Medium** + **Feature: **Runtime Monitoring Process injection is a technique that threat actors use to inject code into processes to evade defenses and potentially elevate privileges. A process can use ptrace system call to inject code into another process. This finding identifies a potential attempt to inject code into a process using the ptrace system call. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource type might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite ### A process injection through a direct write to virtual memory was detected in a container or an Amazon EC2 instance. **Default severity: High** + **Feature: **Runtime Monitoring Process injection is a technique that threat actors use to inject code into processes to evade defenses and potentially elevate privileges. A process can use a system call such as `process_vm_writev` to directly inject code into another process's virtual memory. This finding identifies a potential attempt to inject code into a process using a system call for writing to the virtual memory of the process. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource type might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Execution:Runtime/ReverseShell ### A process in a container or an Amazon EC2 instance has created a reverse shell. **Default severity: High** + **Feature: **Runtime Monitoring A reverse shell is a shell session created on a connection that is initiated from the target host to the actor's host. This is opposite to a normal shell that is initiated from the actor's host to the target's host. Threat actors create a reverse shell to execute commands on the target after gaining initial access to the target. This finding identifies potentially suspicious reverse shell connections. GuardDuty examines related runtime activity and context, and generates this finding type only when the associated activity and context are found to be unusual or suspicious. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** The GuardDuty security agent monitors events from multiple sources. To identify the impacted resource, view **Resource type** in the finding details in the GuardDuty console. If this activity is unexpected, your resource type might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## DefenseEvasion:Runtime/FilelessExecution ### A process in a container or an Amazon EC2 instance is executing code from memory. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you when a process is executed using an in-memory executable file on disk. This is a common defense evasion technique that avoids writing the malicious executable to the disk to evade file system scanning-based detection. Although this technique is used by malware, it also has some legitimate use cases. One of the examples is a just-in-time (JIT) compiler that writes compiled code to memory and executes it from memory. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Impact:Runtime/CryptoMinerExecuted ### A container or an Amazon EC2 instance is executing a binary file that is associated with a cryptocurrency mining activity. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed EC2 instance or container in your AWS environment is executing a binary file that is associated with a cryptocurrency mining activity. Threat actors may seek to take control over compute resources to maliciously repurpose them for unauthorized cryptocurrency mining. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console and see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Execution:Runtime/NewLibraryLoaded ### A newly created or recently modified library was loaded by a process inside a container. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a library was created or modified inside a container during runtime and loaded by a process running inside the container. The best practice is to keep the containers immutable at the runtime, and not to create or modify the binary files, scripts, or libraries during the lifetime of the container. Loading of a newly created or modified library in a container may indicate suspicious activity. This behavior indicates that a malicious actor has potentially gained access to the container, has downloaded, and executed malware or other software as a part of the potential compromise. Although this type of activity could be an indication of a compromise, it is also a common usage pattern. Therefore, GuardDuty uses mechanisms to identify suspicious instances of this activity and generates this finding type only for suspicious instances. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## PrivilegeEscalation:Runtime/ContainerMountsHostDirectory ### A process inside a container mounted a host filesystem at runtime. **Default severity: Medium** + **Feature: **Runtime Monitoring Multiple container escape techniques involve mounting a host filesystem inside a container at runtime. This finding informs you that a process inside a container potentially attempted to mount a host filesystem, which may indicate an attempt to escape to the host. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## PrivilegeEscalation:Runtime/UserfaultfdUsage ### A process used `userfaultfd` system calls to handle page faults in user space. **Default severity: Medium** + **Feature: **Runtime Monitoring Typically, page faults are handled by the kernel in kernel space. However, `userfaultfd` system call allows a process to handle page faults on a filesystem in user space. This is a useful feature that enables implementation of user-space filesystems. On the other hand, it can also be used by a potentially malicious process to interrupt kernel from user space. Interrupting kernel by using `userfaultfd` system call is a common exploitation technique to extend race windows during exploitation of kernel race conditions. Use of `userfaultfd` may indicate suspicious activity on the Amazon Elastic Compute Cloud (Amazon EC2) instance. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Execution:Runtime/SuspiciousTool ### A container or an Amazon EC2 instance is running a binary file or script that is frequently used in offensive security scenarios such as pentesting engagement. **Default severity: Variable** The severity of this finding can be either high or low, depending on whether the detected suspicious tool is considered to be dual-use or is it exclusively for offensive use. + **Feature: **Runtime Monitoring This finding informs you that a suspicious tool has been executed on an EC2 instance or container within your AWS environment. This includes tools used in pentesting engagements, also known as backdoor tools, network scanners, and network sniffers. All these tools can be used in benign contexts but are also frequently used by threat actors with malicious intent. Observing offensive security tools could indicate that the associated EC2 instance or container has been compromised. GuardDuty examines related runtime activity and context so that it generates this finding only when the associated activity and context are potentially suspicious. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Execution:Runtime/SuspiciousCommand ### A suspicious command has been executed on an Amazon EC2 instance or a container that is indicative of a compromise. **Default severity: Variable** Depending on the impact of the observed malicious pattern, the severity of this finding type could be either low, medium, or high. + **Feature: **Runtime Monitoring This finding informs you that a suspicious command has been executed and it indicates that an Amazon EC2 instance or a container in your AWS environment has been compromised. This might mean that either a file was downloaded from a suspicious source and then executed, or a running process displays a known malicious pattern in its command line. This further indicates that malware is running on the system. GuardDuty examines related runtime activity and context so that it generates this finding only when the associated activity and context are potentially suspicious. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). **Note** Process command line arguments may contain sensitive data. To protect sensitive data, GuardDuty runtime monitoring findings do not include full command line arguments. Instead, `Service.RuntimeDetails.Context.CommandLineExample` provides a representative example of the command line pattern that generated the finding. ## DefenseEvasion:Runtime/SuspiciousCommand ### A command has been executed on the listed Amazon EC2 instance or a container, it attempts to modify or disable a Linux defense mechanism, such as firewall or essential system services. **Default severity: Variable** Depending on which defense mechanism has been modified or disabled, the severity of this finding type can be either high, medium, or low. + **Feature: **Runtime Monitoring This finding informs you that a command that attempts to hide an attack from the local system's security services, has been executed. This includes actions such as disabling the Unix firewall, modifying local IP tables, removing crontab entries, disabling a local service, or taking over the `LDPreload` function. Any modification is highly suspicious and a potential indicator of compromise. Therefore, these mechanisms detect or prevent further compromise of the system. GuardDuty examines related runtime activity and context so that it generates this finding only when the associated activity and context are potentially suspicious. The GuardDuty runtime agent monitors events from multiple resources. To identify the potentially compromised resource, view **Resource type** in the findings details in the GuardDuty console. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## DefenseEvasion:Runtime/PtraceAntiDebugging ### A process in a container or an Amazon EC2 instance has executed an anti-debugging measure using the ptrace system call. **Default severity: Low** + **Feature: **Runtime Monitoring This finding shows that a process running on the listed Amazon EC2 instance or a container within your AWS environment has used the ptrace system call with the `PTRACE_TRACEME` option. This activity would cause an attached debugger to detach from the running process. If no debugger is attached, it has no effect. However, the activity in itself raises suspicion. This might indicate that malware is running on the system. Malware frequently uses anti-debugging techniques to evade analysis, and these techniques can be detected at runtime. GuardDuty examines related runtime activity and context so that it generates this finding only when the associated activity and context are potentially suspicious. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Execution:Runtime/MaliciousFileExecuted ### A known malicious executable file has been executed on an Amazon EC2 instance or a container. **Default severity: High** + **Feature: **Runtime Monitoring This finding informs you that a known malicious executable has been executed on Amazon EC2 instance or a container within your AWS environment. This is a strong indicator that the instance or container has been potentially compromised and that malware has been executed. GuardDuty examines related runtime activity and context so that it generates this finding only when the associated activity and context are potentially suspicious. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Execution:Runtime/SuspiciousShellCreated ### A network service or network-accessible process on an Amazon EC2 instance, or in a container has started an interactive shell process. **Default severity: Low** + **Feature: **Runtime Monitoring This finding informs you that a network-accessible service on an Amazon EC2 instance or in a container within your AWS environment has launched an interactive shell. Under certain circumstances, this scenario may indicate post-exploitation behavior. Interactive shells allow attackers to execute arbitrary commands on a compromised instance or container. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. You can view the network-accessible process information in the parent process details. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## PrivilegeEscalation:Runtime/ElevationToRoot ### A process running on the listed Amazon EC2 instance or container has assumed root privileges. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed Amazon EC2 or in the listed container within your AWS environment has assumed root privileges through unusual or suspicious `setuid` binary execution. This indicates that a running process has been potentially compromised, for the EC2 instance through an exploit, or through `setuid` exploitation. By using the root privileges, the attacker can potentially execute commands on the instance or the container. While GuardDuty is designed to not generate this finding type for activities involving regular use of the `sudo` command, it will generate this finding when it identifies the activity as unusual or suspicious. GuardDuty examines related runtime activity and context, and generates this finding type only when the associated activity and context are unusual or suspicious. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Discovery:Runtime/SuspiciousCommand ### A suspicious command has been executed on an Amazon EC2 instance or in a container, which allows an attacker to gain information about the local system, surrounding AWS infrastructure, or container infrastructure. **Default severity: Low** **Feature: **Runtime Monitoring This finding informs you that a process running on the listed Amazon EC2 instance or container in your AWS environment has executed a command that might provide an attacker with crucial information to potentially advance the attack. The following information may have been retrieved: + Local system such as user or network configuration, + Other available AWS resources and permissions, or + Kubernetes infrastructure such as services and pods. The Amazon EC2 instance or the container that is listed in the finding detail might have been compromised. The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings details in the GuardDuty console. You can find the details about the suspicious command in the `service.runtimeDetails.context` field of the finding JSON. Additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## Persistence:Runtime/SuspiciousCommand ### A suspicious command has been executed on an Amazon EC2 instance or in a container, which allows an attacker to persist access and control in your AWS environment. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed Amazon EC2 instance or in a container within your AWS environment has executed a suspicious command. The command installs a persistence method which allows malware to run uninterruptedly, or allows an attacker to continuously access the potentially compromised instance or container resource type. This could potentially mean that a system service has been installed or modified, the `crontab` has been modified, or a new user has been added to the system configuration. GuardDuty examines related runtime activity and context, and generates this finding type only when the associated activity and context are unusual or suspicious. The Amazon EC2 instance or the container that is listed in the finding detail might have been compromised. The GuardDuty runtime agent monitors events from multiple resources. To identify the potentially compromised resource, view **Resource type** in the findings details in the GuardDuty console. You can find the details about the suspicious command in the `service.runtimeDetails.context` field of the finding JSON. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## PrivilegeEscalation:Runtime/SuspiciousCommand ### A suspicious command has been executed on an Amazon EC2 instance or in a container, which allows an attacker to escalate privileges. **Default severity: Medium** + **Feature: **Runtime Monitoring This finding informs you that a process running on the listed Amazon EC2 instance or in a container within your AWS environment has executed a suspicious command. The command attempts to perform privilege escalation, which allows an adversary to perform high privilege tasks. GuardDuty examines related runtime activity and context, and generates this finding type only when the associated activity and context are unusual or suspicious. The Amazon EC2 instance or the container that is listed in the finding detail might have been compromised. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). ## DefenseEvasion:Runtime/KernelModuleLoaded ### A kernel module was loaded on an Amazon EC2 instance, indicating an attempt to gain kernel-level access. **Default severity: High** + **Feature: **Runtime Monitoring This finding indicates that a kernel module was loaded on the listed EC2 instance. Since kernel modules have the highest system-level privileges (ring 0), this could indicate that a threat actor has gained kernel-level access. This level of access allows complete control over the system. The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation. **Remediation recommendations:** If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](guardduty-remediate-runtime-monitoring.md). # Malware Protection for EC2 finding types GuardDuty Malware Protection for EC2 provides a single Malware Protection for EC2 finding for all threats detected during the scan of an EC2 instance or a container workload. The finding includes the total number of detections made during the scan, and based on the severity, provides details for the top 32 threats that it detects. Unlike other GuardDuty findings, Malware Protection for EC2 findings are not updated when the same EC2 instance or container workload is scanned again. A new Malware Protection for EC2 finding is generated for each scan that detects malware. Malware Protection for EC2 findings include information about the corresponding scan that produced the finding as well as the GuardDuty finding that initiated this scan. This makes it easier to correlate the suspicious behavior with the detected malware. **Note** When GuardDuty detects malicious activity on a container workload, Malware Protection for EC2 doesn't generate an EC2 level finding. The following findings are specific to GuardDuty Malware Protection for EC2. **Topics** + [ ## Execution:EC2/MaliciousFile ](#execution-malware-ec2-maliciousfile) + [ ## Execution:ECS/MaliciousFile ](#execution-malware-ecs-maliciousfile) + [ ## Execution:Kubernetes/MaliciousFile ](#execution-malware-kubernetes-maliciousfile) + [ ## Execution:Container/MaliciousFile ](#execution-malware-container-maliciousfile) + [ ## Execution:EC2/SuspiciousFile ](#execution-malware-ec2-suspiciousfile) + [ ## Execution:ECS/SuspiciousFile ](#execution-malware-ecs-suspiciousfile) + [ ## Execution:Kubernetes/SuspiciousFile ](#execution-malware-kubernetes-suspiciousfile) + [ ## Execution:Container/SuspiciousFile ](#execution-malware-container-suspiciousfile) ## Execution:EC2/MaliciousFile ### A malicious file has been detected on an EC2 instance. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more malicious files on the listed EC2 instance within your AWS environment. This listed instance might be compromised. For more information, see **Threats detected** section in the findings' details. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Execution:ECS/MaliciousFile ### A malicious file has been detected on an ECS cluster. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more malicious files on a container workload that belongs to an ECS cluster. For more information, see **Threats detected** section in the findings' details. **Remediation recommendations:** If this activity is unexpected, your container belonging to the ECS cluster may be compromised. For more information, see [Remediating a potentially compromised ECS cluster](compromised-ecs.md). ## Execution:Kubernetes/MaliciousFile ### A malicious file has been detected on an Kubernetes cluster. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more malicious files on a container workload that belongs to a Kubernetes cluster. If this is an EKS managed cluster, the findings details will provide additional information about the impacted EKS resource. For more information, see **Threats detected** section in the findings' details. **Remediation recommendations:** If this activity is unexpected, your container workload may be compromised. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Execution:Container/MaliciousFile ### A malicious file has been detected on a standalone container. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more malicious files on a container workload and no cluster information has been identified. For more information, see **Threats detected** section in the findings' details. **Remediation recommendations:** If this activity is unexpected, your container workload may be compromised. For more information, see [Remediating a potentially compromised standalone container](remediate-compromised-standalone-container.md). ## Execution:EC2/SuspiciousFile ### A suspicious file has been detected on an EC2 instance. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more suspicious files on an EC2 instance. For more information, see **Threats detected** section in the findings' details. `SuspiciousFile` type detections indicate that potentially unwanted programs such as adware, spyware, or dual use tools are present on an impacted resource. These programs could have a negative impact on your resource, or be used by attackers for malicious purposes. For example, networking tools can be used legitimately or maliciously by adversaries as hack tools to try and compromise resources. When a suspicious file has been detected, evaluate whether you expect to see the detected file in your AWS environment. If the file is unexpected, follow the remediation recommendations provided in the next section. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Execution:ECS/SuspiciousFile ### A suspicious file has been detected on an ECS cluster. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more suspicious files on a container that belongs to an ECS cluster. For more information, see **Threats detected** section in the findings' details. `SuspiciousFile` type detections indicate that potentially unwanted programs such as adware, spyware, or dual use tools are present on an impacted resource. These programs could have a negative impact on your resource, or be used by attackers for malicious purposes. For example, networking tools can be used legitimately or maliciously by adversaries as hack tools to try and compromise resources. When a suspicious file has been detected, evaluate whether you expect to see the detected file in your AWS environment. If the file is unexpected, follow the remediation recommendations provided in the next section. **Remediation recommendations:** If this activity is unexpected, your container belonging to the ECS cluster may be compromised. For more information, see [Remediating a potentially compromised ECS cluster](compromised-ecs.md). ## Execution:Kubernetes/SuspiciousFile ### A suspicious file has been detected on a Kubernetes cluster. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more suspicious files on a container that belongs to a Kubernetes cluster. If this is an EKS managed cluster, the findings' details will provide additional information about the impacted EKS. For more information, see **Threats detected** section in the findings' details. `SuspiciousFile` type detections indicate that potentially unwanted programs such as adware, spyware, or dual use tools are present on an impacted resource. These programs could have a negative impact on your resource, or be used by attackers for malicious purposes. For example, networking tools can be used legitimately or maliciously by adversaries as hack tools to try and compromise resources. When a suspicious file has been detected, evaluate whether you expect to see the detected file in your AWS environment. If the file is unexpected, follow the remediation recommendations provided in the next section. **Remediation recommendations:** If this activity is unexpected, your container workload may be compromised. For more information, see [Remediating EKS Protection findings](guardduty-remediate-kubernetes.md). ## Execution:Container/SuspiciousFile ### A suspicious file has been detected on a standalone container. **Default severity: Varies depending on the detected threat.** + **Feature: **EBS Malware Protection This finding indicates that the GuardDuty Malware Protection for EC2 scan has detected one or more suspicious files on a container with no cluster information. For more information, see **Threats detected** section in the findings' details. `SuspiciousFile` type detections indicate that potentially unwanted programs such as adware, spyware, or dual use tools are present on an impacted resource. These programs could have a negative impact on your resource, or be used by attackers for malicious purposes. For example, networking tools can be used legitimately or maliciously by adversaries as hack tools to try and compromise resources. When a suspicious file has been detected, evaluate whether you expect to see the detected file in your AWS environment. If the file is unexpected, follow the remediation recommendations provided in the next section. **Remediation recommendations:** If this activity is unexpected, your container workload may be compromised. For more information, see [Remediating a potentially compromised standalone container](remediate-compromised-standalone-container.md). # Malware Protection for S3 finding type GuardDuty generates a finding only when it detects a potential security threat in your AWS account. An Malware Protection for S3 finding indicates that the uploaded object that initiated the malware scan contains a potentially malicious file. For Amazon GuardDuty to generate a finding in your AWS account, enable both GuardDuty and Malware Protection for S3. The best practice is to first enable GuardDuty and then Malware Protection for S3. If this order is different for you, make sure to enable GuardDuty before an S3 object gets upload to your protected bucket. **Note** GuardDuty can't generate a finding for an S3 object that was scanned before you enabled GuardDuty. To scan an existing S3 object, you may upload it again. ## Object:S3/MaliciousFile ### A malicious file has been detected on a scanned S3 object. **Default severity: High** + **Feature: **Malware Protection for S3 This finding indicates that a malware scan has detected the listed S3 object to be malicious. For more information, view the **Threats detected** section in the finding details panel. **Recommendation remediation:** If this finding was unexpected, the S3 object is potentially malicious. For information about recommended remediation steps, see [Remediating a potentially malicious S3 object](compromised-s3object-malware-protection-gdu.md). # Malware Protection for Backup finding types GuardDuty Malware Protection for Backup provides a single finding for all threats detected during the scan of the requested resource. The finding includes the total number of detections made during the scan, and based on the severity, provides details for the top 32 threats that it detects. Unlike other GuardDuty findings, Malware Protection for Backup findings are not updated when the same resource is scanned again. A new Malware Protection for Backup finding is generated for each scan that detects malware. The following findings are specific to GuardDuty Malware Protection for Backup. **Topics** + [ ## Execution:EC2/MaliciousFile\$1Snapshot ](#execution-malware-ec2-maliciousfile-snapshot) + [ ## Execution:EC2/MaliciousFile\$1AMI ](#execution-malware-ec2-maliciousfile-ami) + [ ## Execution:EC2/MaliciousFile\$1RecoveryPoint ](#execution-malware-ec2-maliciousfile-recoverypoint) + [ ## Execution:S3/MaliciousFile\$1RecoveryPoint ](#execution-malware-s3-maliciousfile-recoverypoint) ## Execution:EC2/MaliciousFile\$1Snapshot ### A malicious file has been detected in an EBS snapshot. **Default severity: Varies depending on the detected threat.** + **Feature: **Malware Protection for Backup This finding indicates that a GuardDuty Malware Protection for Backup scan has detected one or more malicious files in an EBS snapshot within your environment. For more information, view the Threats detected section in the finding details panel. **Remediation recommendations:** If this is unexpected, your snapshot may be compromised. For more information, see [Remediating a potentially compromised EBS Snapshot](compromised-snapshot.md). ## Execution:EC2/MaliciousFile\$1AMI ### A malicious file has been detected in an EC2 AMI. **Default severity: Varies depending on the detected threat.** + **Feature: **Malware Protection for Backup This finding indicates that a GuardDuty Malware Protection for Backup scan has detected one or more malicious files in an AMI within your environment. For more information, view the Threats detected section in the finding details panel. **Remediation recommendations:** If this is unexpected, your AMI may be compromised. For more information, see [Remediating a potentially compromised EC2 AMI](compromised-ami.md). ## Execution:EC2/MaliciousFile\$1RecoveryPoint ### A malicious file has been detected in an AWS Backup EC2 Recovery Point. **Default severity: Varies depending on the detected threat.** + **Feature: **Malware Protection for Backup This finding indicates that a GuardDuty Malware Protection for Backup scan has detected one or more malicious files in an EC2 recovery point within your environment. The impacted Recovery Point could be an EBS snapshot or an EC2 AMI. For more information, view the Threats detected section in the finding details panel. **Remediation recommendations:** If this is unexpected, your EC2 recovery point may be compromised. For more information, see [Remediating a potentially compromised EC2 Recovery Point](compromised-ec2-recoverypoint.md). ## Execution:S3/MaliciousFile\$1RecoveryPoint ### A malicious file has been detected in an AWS Backup S3 Recovery Point. **Default severity: Varies depending on the detected threat.** + **Feature: **Malware Protection for Backup This finding indicates that a GuardDuty Malware Protection for Backup scan has detected one or more malicious objects in an S3 Recovery Point within your environment. For more information, view the Threats detected section in the finding details panel. **Remediation recommendations:** If this is unexpected, your S3 recovery point may be compromised. For more information, see [Remediating a potentially compromised S3 Recovery Point](compromised-s3-recoverypoint.md). # GuardDuty RDS Protection finding types RDS Protection finding types GuardDuty RDS Protection detects anomalous login behavior on your database instance. The following findings are specific to the [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) and will have a **Resource Type** of `RDSDBInstance` or `RDSLimitlessDB`. The severity and details of the findings will differ based on the finding type. **Topics** + [ ## CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin ](#credaccess-rds-anombehavior-successlogin) + [ ## CredentialAccess:RDS/AnomalousBehavior.FailedLogin ](#credaccess-rds-anombehavior-failedlogin) + [ ## CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce ](#credaccess-rds-anombehavior-successfulbruteforce) + [ ## CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin ](#credaccess-rds-maliciousipcaller-successfullogin) + [ ## CredentialAccess:RDS/MaliciousIPCaller.FailedLogin ](#credaccess-rds-maliciousipcaller-failedlogin) + [ ## Discovery:RDS/MaliciousIPCaller ](#discovery-rds-maliciousipcaller) + [ ## CredentialAccess:RDS/TorIPCaller.SuccessfulLogin ](#credaccess-rds-toripcaller-successfullogin) + [ ## CredentialAccess:RDS/TorIPCaller.FailedLogin ](#credaccess-rds-toripcaller-failedlogin) + [ ## Discovery:RDS/TorIPCaller ](#discovery-rds-toripcaller) ## CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin ### A user successfully logged into an RDS database in your account in an anomalous way. **Default severity: Variable** **Note** Depending on the anomalous behavior associated with this finding, the default severity can Low, Medium, and High. **Low** – If the user name associated with this finding logged in from an IP address that is associated with a private network. **Medium** – If the user name associated with this finding logged in from a public IP address. **High** – If there is a consistent pattern of failed login attempts from public IP addresses indicative of overly permissive access policies. + **Feature: **RDS login activity monitoring This finding informs you that an anomalous successful login was observed on an RDS database in your AWS environment. This may indicate that a previous unseen user logged into an RDS database for the first time. A common scenario is an internal user logging into a database that is accessed programmatically by applications and not by individual users. This successful login was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all database login events in your [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the RDS login activity such as the user that made the request, the location the request was made from, and the specific database connection details that were used. For information about the login events that are potentially unusual, see [RDS login activity-based anomalies](guardduty_findings-summary.md#rds-pro-login-anomaly). **Remediation recommendations:** If this activity is unexpected for the associated database, it is recommended to change the password of the associated database user, and review available audit logs for activity performed by the anomalous user. Medium and high severity findings may indicate that there is an overly permissive access policy to the database, and user credentials may have been exposed or compromised. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with successful login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-successful-attempt). ## CredentialAccess:RDS/AnomalousBehavior.FailedLogin ### One or more unusual failed login attempts were observed on an RDS database in your account. **Default severity: Low** + **Feature: **RDS login activity monitoring This finding informs you that one or more anomalous failed logins were observed on an RDS database in your AWS environment. A failed login attempts from public IP addresses may indicate that the RDS database in your account has been subject to an attempted brute force attack by a potentially malicious actor. These failed logins were identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all database login events in your [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the RDS login activity such as the user that made the request, the location the request was made from, and the specific database connection details that were used. For information about the RDS login activity that are potentially unusual, see [RDS login activity-based anomalies](guardduty_findings-summary.md#rds-pro-login-anomaly). **Remediation recommendations:** If this activity is unexpected for the associated database, it may indicate that the database is publicly exposed or there is an overly permissive access policy to the database. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with failed login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-failed-attempt). ## CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce ### A user successfully logged into an RDS database in your account from a public IP address in an anomalous way after a consistent pattern of unusual failed login attempts. **Default severity: High** + **Feature: **RDS login activity monitoring This finding informs you that an anomalous login indicative of a successful brute force was observed on an RDS database in your AWS environment. Prior to an anomalous successful login, a consistent pattern of unusual failed login attempts was observed. This indicates that the user and password associated with the RDS database in your account may have been compromised, and the RDS database may have been accessed by a potentially malicious actor. This successful brute force login was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all database login events in your [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the RDS login activity such as the user that made the request, the location the request was made from, and the specific database connection details that were used. For information about the RDS login activity that are potentially unusual, see [RDS login activity-based anomalies](guardduty_findings-summary.md#rds-pro-login-anomaly). **Remediation recommendations:** This activity indicates that database credentials may have been exposed or compromised. It is recommended to change the password of the associated database user, and review available audit logs for activity performed by the potentially compromised user. A consistent pattern of unusual failed login attempts indicate an overly permissive access policy to the database or the database may have also been public exposed. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with successful login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-successful-attempt). ## CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin ### A user successfully logged into an RDS database in your account from a known malicious IP address. **Default severity: High** + **Feature: **RDS login activity monitoring This finding informs you that a successful RDS login activity occurred from an IP address that is associated with a known malicious activity in your AWS environment. This indicates that the user and password associated with the RDS database in your account may have been compromised, and the RDS database may have been accessed by a potentially malicious actor. **Remediation recommendations:** If this activity is unexpected for the associated database, it may indicate that the user credentials may have been exposed or compromised. It is recommended to change the password of the associated database user, and review the available audit logs for activity performed by the compromised user. This activity may also indicate that there is an overly permissive access policy to the database or the database is publicly exposed. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with successful login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-successful-attempt). ## CredentialAccess:RDS/MaliciousIPCaller.FailedLogin ### An IP address that is associated with a known malicious activity unsuccessfully attempted to log in to an RDS database in your account. **Default severity: Medium** + **Feature: **RDS login activity monitoring This finding informs you that an IP address associated with known malicious activity attempted to log in to an RDS database in your AWS environment, but failed to provide the correct user name or password. This indicates that a potentially malicious actor may be attempting to compromise the RDS database in your account. **Remediation recommendations:** If this activity is unexpected for the associated database, it may indicate that there is an overly permissive access policy to the database or the database is publicly exposed. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with failed login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-failed-attempt). ## Discovery:RDS/MaliciousIPCaller ### An IP address that is associated with a known malicious activity probed an RDS database in your account; no authentication attempt was made. **Default severity: Medium** + **Feature: **RDS login activity monitoring This finding informs you that an IP address associated with known a malicious activity probed an RDS database in your AWS environment, though no login attempt was made. This may indicate that a potentially malicious actor is attempting to scan for a publicly accessible infrastructure. **Remediation recommendations:** If this activity is unexpected for the associated database, it may indicate that there is an overly permissive access policy to the database or the database is publicly exposed. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with failed login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-failed-attempt). ## CredentialAccess:RDS/TorIPCaller.SuccessfulLogin ### A user successfully logged into an RDS database in your account from a Tor exit node IP address. **Default severity: High** + **Feature: **RDS login activity monitoring This finding informs you that a user successfully logged in to an RDS database in your AWS environment, from a Tor exit node IP address. Tor is a software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to the RDS resources in your account, with the intent of hiding the anonymous user's true identity. **Remediation recommendations:** If this activity is unexpected for the associated database, it may indicate that the user credentials may have been exposed or compromised. It is recommended to change the password of the associated database user, and review the available audit logs for activity performed by the compromised user. This activity may also indicate that there is an overly permissive access policy to the database or the database is publicly exposed. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with successful login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-successful-attempt). ## CredentialAccess:RDS/TorIPCaller.FailedLogin ### A Tor IP address attempted to unsuccessfully log in to an RDS database in your account. **Default severity: Medium** + **Feature: **RDS login activity monitoring This finding informs you that a Tor exit node IP address attempted to log in to an RDS database in your AWS environment, but failed to provide the correct user name or password. Tor is a software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to the RDS resources in your account, with the intent of hiding the anonymous user's true identity. **Remediation recommendations:** If this activity is unexpected for the associated database, it may indicate that there is an overly permissive access policy to the database or the database is publicly exposed. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with failed login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-failed-attempt). ## Discovery:RDS/TorIPCaller ### A Tor exit node IP address probed an RDS database in your account, no authentication attempt was made. **Default severity: Medium** + **Feature: **RDS login activity monitoring This finding informs you that a Tor exit node IP address probed an RDS database in your AWS environment, though no login attempt was made. This may indicate that a potentially malicious actor is attempting to scan for publicly accessible infrastructure. Tor is a software for enabling anonymous communication. It encrypts and randmonly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to the RDS resources in your account, with the intent of hiding the potentially malicious actor's true identity. **Remediation recommendations:** If this activity is unexpected for the associated database, it may indicate that there is an overly permissive access policy to the database or the database is publicly exposed. It is recommended to place the database in a private VPC, and limit the security group rules to allow traffic only from the necessary sources. For more information, see [Remediating potentially compromised database with failed login events](guardduty-remediate-compromised-database-rds.md#gd-compromised-db-failed-attempt). # Lambda Protection finding types This section describes the finding types that are specific to your AWS Lambda resources and have the `resourceType` listed as `Lambda`. For all Lambda findings, we recommend that you examine the resource in question and determine if it is behaving in an expected manner. If the activity is authorized, you can use [Suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html) or [Trusted IP and threat lists](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) to prevent false positive notifications for that resource. If the activity is unexpected, the security best practice is to assume that Lambda has been potentially compromised and follow the remediation recommendations. **Topics** + [ ## Backdoor:Lambda/C&CActivity.B ](#backdoor-lambda-ccactivity-b) + [ ## CryptoCurrency:Lambda/BitcoinTool.B ](#cryptocurrency-lambda-bitcointool-b) + [ ## Trojan:Lambda/BlackholeTraffic ](#trojan-lambda-blackhole-traffic) + [ ## Trojan:Lambda/DropPoint ](#trojan-lambda-drop-point) + [ ## UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom ](#unauthorized-access-lambda-maliciousIPcaller-custom) + [ ## UnauthorizedAccess:Lambda/TorClient ](#unauthorized-access-lambda-tor-client) + [ ## UnauthorizedAccess:Lambda/TorRelay ](#unauthorized-access-lambda-tor-relay) ## Backdoor:Lambda/C&CActivity.B ### A Lambda function is querying an IP address that is associated with a known command and control server. **Default severity: High** + **Feature: **Lambda Network Activity Monitoring This finding informs you that a listed Lambda function within your AWS environment is querying an IP address that is associated with a known command and control (C&C) server. The Lambda function associated to the generated finding is potentially compromised. C&C servers are computers that issue commands to members of a botnet. A botnet is a collection of internet-connected devices, which might include PCs, servers, mobile devices, and Internet of Things devices, that is infected and controlled by a common type of malware. Botnets are often used to distribute malware and gather misappropriated information, such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to begin a distributed denial of service. **Remediation recommendations:** If this activity is unexpected, your Lambda function may be compromised. For more information, see [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md). ## CryptoCurrency:Lambda/BitcoinTool.B ### A Lambda function is querying an IP address that is associated with a cryptocurrency-related activity. **Default severity: High** + **Feature: **Lambda Network Activity Monitoring This finding informs you that the listed Lambda function in your AWS environment is querying an IP address that is associated with a Bitcoin or other cryptocurrency-related activity. Threat actors may seek to take control over Lambda functions in order to maliciously repurpose them for unauthorized cryptocurrency mining. **Remediation recommendations:** If you use this Lambda function to mine or manage cryptocurrency, or this function is otherwise involved in a blockchain activity, it is potentially an expected activity for your environment. If this is the case in your AWS environment, we recommend that you set up a suppression rule for this finding. The suppression rule should consist of two filter criteria. The first criterion should use the finding type attribute with a value of CryptoCurrency:Lambda/BitcoinTool.B. The second filter criterion should be the Lambda function name of the function involved in blockchain activity. For information about creating suppression rules, see [Suppression rules](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html). If this activity is unexpected, your Lambda function is potentially compromised. For more information, see [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md). ## Trojan:Lambda/BlackholeTraffic ### A Lambda function is attempting to communicate with an IP address of a remote host that is a known black hole. **Default severity: Medium** + **Feature: **Lambda Network Activity Monitoring This finding informs you that a listed Lambda function within your AWS environment is trying to communicate with an IP address of a black hole (or a sink hole). Black holes are places in the network where incoming or outgoing traffic is silently discarded without informing the source that the data didn't reach its intended recipient. A black hole IP address specifies a host machine that is not running or an address to which no host has been assigned. The listed Lambda function is potentially compromised. **Remediation recommendations:** If this activity is unexpected, your Lambda function may be compromised. For more information, see [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md). ## Trojan:Lambda/DropPoint ### A Lambda function is attempting to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware. **Default severity: Medium** + **Feature: **Lambda Network Activity Monitoring This finding informs you that a listed Lambda function within your AWS environment is trying to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware. **Remediation recommendations:** If this activity is unexpected, your Lambda function may be compromised. For more information, see [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md). ## UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom ### A Lambda function is making connections to an IP address on a custom threat list. **Default severity: Medium** + **Feature: **Lambda Network Activity Monitoring This finding informs you that a Lambda function in your AWS environment is communicating with an IP address included on a threat list that you uploaded. In GuardDuty, a [threat list](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) consists of known malicious IP addresses. GuardDuty generates findings based on the uploaded threat lists. You can view the details of the threat list in the finding details on the GuardDuty console. **Remediation recommendations:** If this activity is unexpected, your Lambda function may be compromised. For more information, see [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md). ## UnauthorizedAccess:Lambda/TorClient ### A Lambda function is making connections to a Tor Guard or an Authority node. **Default severity: High** + **Feature: **Lambda Network Activity Monitoring This finding informs you that a Lambda function in your AWS environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority node act as initial gateways into a Tor network. This traffic can indicate that this Lambda function has been potentially compromised. It is now acting as a client on a Tor network. **Remediation recommendations:** If this activity is unexpected, your Lambda function may be compromised. For more information, see [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md). ## UnauthorizedAccess:Lambda/TorRelay ### A Lambda function is making connections to a Tor network as a Tor relay. **Default severity: High** + **Feature: **Lambda Network Activity Monitoring This finding informs you that a Lambda function in your AWS environment is making connections to a Tor network in a manner that suggests that it's acting as a Tor relay. Tor is software for enabling anonymous communication. Tor enables anonymous communication by forwarding the client's potentially illicit traffic from one Tor relay to another. **Remediation recommendations:** If this activity is unexpected, your Lambda function may be compromised. For more information, see [Remediating a potentially compromised Lambda function](remediate-lambda-protection-finding-types.md). # Retired finding types A finding is a notification that contains details about a potential security issue that GuardDuty discovers. For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see [Document history for Amazon GuardDuty](doc-history.md). The following finding types are retired and no longer generated by GuardDuty. **Important** You can't reactivate retired GuardDuty finding types. **Topics** + [ ## Exfiltration:S3/ObjectRead.Unusual ](#exfiltration-s3-objectreadunusual) + [ ## Impact:S3/PermissionsModification.Unusual ](#impact-s3-permissionsmodificationunusual) + [ ## Impact:S3/ObjectDelete.Unusual ](#impact-s3-objectdeleteunusual) + [ ## Discovery:S3/BucketEnumeration.Unusual ](#discovery-s3-bucketenumerationunusual) + [ ## Persistence:IAMUser/NetworkPermissions ](#persistence-iam-networkpermissions) + [ ## Persistence:IAMUser/ResourcePermissions ](#persistence-iam-resourcepermissions) + [ ## Persistence:IAMUser/UserPermissions ](#persistence-iam-userpermissions) + [ ## PrivilegeEscalation:IAMUser/AdministrativePermissions ](#privilegeescalation-iam-administrativepermissions) + [ ## Recon:IAMUser/NetworkPermissions ](#recon-iam-networkpermissions) + [ ## Recon:IAMUser/ResourcePermissions ](#recon-iam-resourcepermissions) + [ ## Recon:IAMUser/UserPermissions ](#recon-iam-userpermissions) + [ ## ResourceConsumption:IAMUser/ComputeResources ](#resourceconsumption-iam-computeresources) + [ ## Stealth:IAMUser/LoggingConfigurationModified ](#stealth-iam-loggingconfigurationmodified) + [ ## UnauthorizedAccess:IAMUser/ConsoleLogin ](#unauthorizedaccess-iam-consolelogin) + [ ## UnauthorizedAccess:EC2/TorIPCaller ](#unauthorizedaccess-ec2-toripcaller) + [ ## Backdoor:EC2/XORDDOS ](#backdoor2) + [ ## Behavior:IAMUser/InstanceLaunchUnusual ](#behavior1) + [ ## CryptoCurrency:EC2/BitcoinTool.A ](#crypto1) + [ ## UnauthorizedAccess:IAMUser/UnusualASNCaller ](#unauthorized6) ## Exfiltration:S3/ObjectRead.Unusual ### An IAM entity invoked an S3 API in a suspicious way. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. + **Data source: **CloudTrail data events for S3 This finding informs you that a IAM entity in your AWS environment is making API calls that involve an S3 bucket and that differ from that entity's established baseline. The API call used in this activity is associated with the exfiltration stage of an attack, wherein and attacker is attempting to collect data. This activity is suspicious because the way the IAM entity invoked the API was unusual. For example, this IAM entity had no prior history of invoking this type of API, or the API was invoked from an unusual location. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Impact:S3/PermissionsModification.Unusual ### An IAM entity invoked an API to modify permissions on one or more S3 resources. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding informs you that an IAM entity is making API calls designed to modify the permissions on one or more buckets or objects in your AWS environment. This action may be performed by an attacker to allow information to be shared outside of the account. This activity is suspicious because the way the IAM entity invoked the API was unusual. For example, this IAM entity had no prior history of invoking this type of API, or the API was invoked from an unusual location. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Impact:S3/ObjectDelete.Unusual ### An IAM entity invoked an API used to delete data in an S3 bucket. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding informs you that a specific IAM entity in your AWS environment is making API calls designed to delete data in the listed S3 bucket by deleting the bucket itself. This activity is suspicious because the way the IAM entity invoked the API was unusual. For example, this IAM entity had no prior history of invoking this type of API, or the API was invoked from an unusual location. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Discovery:S3/BucketEnumeration.Unusual ### An IAM entity invoked an S3 API used to discover S3 buckets within your network. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding informs you that an IAM entity has invoked an S3 API to discover S3 buckets in your environment, such as `ListBuckets`. This type of activity is associated with the discovery stage of an attack wherein an attacker is gathering information to determine if your AWS environment is susceptible to a broader attack. This activity is suspicious because the way the IAM entity invoked the API was unusual. For example, this IAM entity had no prior history of invoking this type of API, or the API was invoked from an unusual location. **Remediation recommendations:** If this activity is unexpected for the associated principal, it may indicate that the credentials have been exposed or your S3 permissions are not restrictive enough. For more information, see [Remediating a potentially compromised S3 bucket](compromised-s3.md). ## Persistence:IAMUser/NetworkPermissions ### An IAM entity invoked an API commonly used to change the network access permissions for security groups, routes, and ACLs in your AWS account. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding indicates that a specific principal (AWS account root user, IAM role, or user) in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of invoking this API. This finding is triggered when network configuration settings are changed under suspicious circumstances, such as when a principal invokes the `CreateSecurityGroup` API with no prior history of doing so. Attackers often attempt to change security groups to allow certain inbound traffic on various ports to improve their ability to access an EC2 instance. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Persistence:IAMUser/ResourcePermissions ### A principal invoked an API commonly used to change the security access policies of various resources in your AWS account. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked is using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding indicates that a specific principal (AWS account root user, IAM role, or user) in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of invoking this API. This finding is triggered when a change is detected to policies or permissions attached to AWS resources, such as when a principal in your AWS environment invokes the `PutBucketPolicy` API with no prior history of doing so. Some services, such as Amazon S3, support resource-attached permissions that grant one or more principals access to the resource. With stolen credentials, attackers can change the policies attached to a resource in order to gain access to that resource. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Persistence:IAMUser/UserPermissions ### A principal invoked an API commonly used to add, modify, or delete IAM users, groups or policies in your AWS account. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding indicates that a specific principal (AWS account root user, IAM role, or user) in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of invoking this API. This finding is triggered by suspicious changes to the user-related permissions in your AWS environment, such as when a principal in your AWS environment invokes the `AttachUserPolicy` API with no prior history of doing so. Attackers may use stolen credentials to create new users, add access policies to existing users, or create access keys to maximize their access to an account, even if their original access point is closed. For example, the owner of the account might notice that a particular IAM user or password was stolen and delete it from the account. However, they might not delete other users that were created by a fraudulently created admin principal, leaving their AWS account accessible to the attacker. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## PrivilegeEscalation:IAMUser/AdministrativePermissions ### A principal has attempted to assign a highly permissive policy to themselves. **Default severity: Low\$1** **Note** This finding's severity is Low if the attempt at privilege escalation was unsuccessful, and Medium if the attempt at privilege escalation was successful. This finding indicates that a specific IAM entity in your AWS environment is exhibiting behavior that can be indicative of a privilege escalation attack. This finding is triggered when an IAM user or role attempts to assign a highly permissive policy to themselves. If the user or role in question is not meant to have administrative privileges, either the user's credentials may be compromised or the role's permissions may not be configured properly. Attackers will use stolen credentials to create new users, add access policies to existing users, or create access keys to maximize their access to an account even if their original access point is closed. For example, the owner of the account might notice that a particular IAM user's sign-in credential was stolen and deleted it from the account, but might not delete other users that were created by a fraudulently created admin principal, leaving their AWS account still accessible to the attacker. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Recon:IAMUser/NetworkPermissions ### A principal invoked an API commonly used to change the network access permissions for security groups, routes, and ACLs in your AWS account. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding indicates that a specific principal (AWS account root user, IAM role, or user) in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of invoking this API. This finding is triggered when resource access permissions in your AWS account are probed under suspicious circumstances. For example, if a principal invoked the `DescribeInstances` API with no prior history of doing so. An attacker might use stolen credentials to perform this type of reconnaissance of your AWS resources in order to find more valuable credentials or determine the capabilities of the credentials they already have. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Recon:IAMUser/ResourcePermissions ### A principal invoked an API commonly used to change the security access policies of various resources in your AWS account. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding indicates that a specific principal (AWS account root user, IAM role, or user) in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of invoking this API. This finding is triggered when resource access permissions in your AWS account are probed under suspicious circumstances. For example, if a principal invoked the `DescribeInstances` API with no prior history of doing so. An attacker might use stolen credentials to perform this type of reconnaissance of your AWS resources in order to find more valuable credentials or determine the capabilities of the credentials they already have. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Recon:IAMUser/UserPermissions ### A principal invoked an API commonly used to add, modify, or delete IAM users, groups or policies in your AWS account. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding is triggered when user permissions in your AWS environment are probed under suspicious circumstances. For example, if a principal (AWS account root user, IAM role, or IAM user) invoked the `ListInstanceProfilesForRole` API with no prior history of doing so. An attacker might use stolen credentials to perform this type of reconnaissance of your AWS resources in order to find more valuable credentials or determine the capabilities of the credentials they already have. This finding indicates that a specific principal in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of invoking this API in this way. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## ResourceConsumption:IAMUser/ComputeResources ### A principal invoked an API commonly used to launch Compute resources like EC2 Instances. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding is triggered when EC2 instances in the listed account within your AWS environment are launched under suspicious circumstances. This finding indicates that a specific principal in your AWS environment is exhibiting behavior that is different from the established baseline; for example, if a principal (AWS account root user, IAM role, or IAM user) invoked the `RunInstances` API with no prior history of doing so. This might be an indication of an attacker using stolen credentials to steal compute time (possibly for cryptocurrency mining or password cracking). It can also be an indication of an attacker using an EC2 instance in your AWS environment and its credentials to maintain access to your account. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## Stealth:IAMUser/LoggingConfigurationModified ### A principal invoked an API commonly used to stop CloudTrail Logging, delete existing logs, and otherwise eliminate traces of activity in your AWS account. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding is triggered when the logging configuration in the listed AWS account within your environment is modified under suspicious circumstances. This finding informs you that a specific principal in your AWS environment is exhibiting behavior that is different from the established baseline; for example, if a principal (AWS account root user, IAM role, or IAM user) invoked the `StopLogging` API with no prior history of doing so. This can be an indication of an attacker trying to cover their tracks by eliminating any trace of their activity. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:IAMUser/ConsoleLogin ### An unusual console login by a principal in your AWS account was observed. **Default severity: Medium\$1** **Note** This finding's default severity is Medium. However, if the API is invoked using temporary AWS credentials that are created on an instance, the finding's severity is High. This finding is triggered when a console login is detected under suspicious circumstances. For example, if a principal with no prior history of doing so, invoked the ConsoleLogin API from a never-before-used client or an unusual location. This could be an indication of stolen credentials being used to gain access to your AWS account, or a valid user accessing the account in an invalid or less secure manner (for example, not over an approved VPN). This finding informs you that a specific principal in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of login activity using this client application from this specific location. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## UnauthorizedAccess:EC2/TorIPCaller ### Your EC2 instance is receiving inbound connections from a Tor exit node. **Default severity: Medium** This finding informs you that an EC2 instance in your AWS environment is receiving inbound connections from a Tor exit node. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This finding can indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Backdoor:EC2/XORDDOS ### An EC2 instance is attempting to communicate with an IP address that is associated with XOR DDoS malware. **Default severity: High** This finding informs you that an EC2 instance in your AWS environment is attempting to communicate with an IP address that is associated with XOR DDoS malware. This EC2 instance might be compromised. XOR DDoS is Trojan malware that hijacks Linux systems. To gain access to the system, it launches a brute force attack in order to discover the password to Secure Shell (SSH) services on Linux. After SSH credentials are acquired and the login is successful, it uses root user privileges to run a script that downloads and installs XOR DDoS. This malware is then used as part of a botnet to launch distributed denial of service (DDoS) attacks against other targets. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## Behavior:IAMUser/InstanceLaunchUnusual ### A user launched an EC2 instance of an unusual type. **Default severity: High** This finding informs you that a specific user in your AWS environment is exhibiting behavior that is different from the established baseline. This user has no prior history of launching an EC2 instance of this type. Your sign-in credentials might be compromised. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## CryptoCurrency:EC2/BitcoinTool.A ### EC2 instance is communicating with Bitcoin mining pools. **Default severity: High** This finding informs you that an EC2 instance in your AWS environment is communicating with Bitcoin mining pools. In the field of cryptocurrency mining, a mining pool is the pooling of resources by miners who share their processing power over a network to split the reward according to the amount of work they contributed to solving a block. Unless you use this EC2 instance for Bitcoin mining, your EC2 instance might be compromised. **Remediation recommendations:** If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](compromised-ec2.md). ## UnauthorizedAccess:IAMUser/UnusualASNCaller ### An API was invoked from an IP address of an unusual network. **Default severity: High** This finding informs you that certain activity was invoked from an IP address of an unusual network. This network was never observed throughout the AWS usage history of the described user. This activity can include a console login, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, etc. This can indicate unauthorized access to your AWS resources. **Remediation recommendations:** If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](compromised-creds.md). ## GuardDuty finding types by potentially impacted resources The following pages are categorized by the potentially impacted resource type associated to a GuardDuty finding: + [EC2 finding types](guardduty_finding-types-ec2.md) + [IAM finding types](guardduty_finding-types-iam.md) + [Attack sequence finding types](guardduty-attack-sequence-finding-types.md) + [S3 Protection finding types](guardduty_finding-types-s3.md) + [EKS Protection finding types](guardduty-finding-types-eks-audit-logs.md) + [Runtime Monitoring finding types](findings-runtime-monitoring.md) + [Malware Protection for EC2 finding types](findings-malware-protection.md) + [Malware Protection for S3 finding type](gdu-malware-protection-s3-finding-types.md) + [Malware Protection for Backup finding types](findings-malware-protection-backup.md) + [RDS Protection finding types](findings-rds-protection.md) + [Lambda Protection finding types](lambda-protection-finding-types.md) ## GuardDuty active finding types The following table shows all of the active finding types sorted by the foundational data source or feature, as applicable. In the following table, some of the findings have their *Finding severity* column values marked with an asterisk (\$1) or a plus sign (\$1): \$1These finding types have variable severity. A finding of a particular type may have a different severity depending on the context specific to the finding. For more information about a finding type, view its detailed description. \$1EC2 findings that use VPC flow logs as a data source do not support IPv6 traffic. | Finding type | Resource type | Foundational data source/Feature | Finding severity | | --- | --- | --- | --- | | [Discovery:S3/AnomalousBehavior](guardduty_finding-types-s3.md#discovery-s3-anomalousbehavior) | Amazon S3 | CloudTrail data events for S3 | Low | | [Discovery:S3/MaliciousIPCaller](guardduty_finding-types-s3.md#discovery-s3-maliciousipcaller) | Amazon S3 | CloudTrail data events for S3 | High | | [Discovery:S3/MaliciousIPCaller.Custom](guardduty_finding-types-s3.md#discovery-s3-maliciousipcallercustom) | Amazon S3 | CloudTrail data events for S3 | High | | [Discovery:S3/TorIPCaller](guardduty_finding-types-s3.md#discovery-s3-toripcaller) | Amazon S3 | CloudTrail data events for S3 | Medium | | [Exfiltration:S3/AnomalousBehavior](guardduty_finding-types-s3.md#exfiltration-s3-anomalousbehavior) | Amazon S3 | CloudTrail data events for S3 | High | | [Exfiltration:S3/MaliciousIPCaller](guardduty_finding-types-s3.md#exfiltration-s3-maliciousipcaller) | Amazon S3 | CloudTrail data events for S3 | High | | [Impact:EC2/MaliciousDomainRequest.Custom](guardduty_finding-types-ec2.md#impact-ec2-maliciousdomainrequest-custom) | Amazon EC2 | DNS logs | Medium | | [Impact:S3/AnomalousBehavior.Delete](guardduty_finding-types-s3.md#impact-s3-anomalousbehavior-delete) | Amazon S3 | CloudTrail data events for S3 | High | | [Impact:S3/AnomalousBehavior.Permission](guardduty_finding-types-s3.md#impact-s3-anomalousbehavior-permission) | Amazon S3 | CloudTrail data events for S3 | High | | [Impact:S3/AnomalousBehavior.Write](guardduty_finding-types-s3.md#impact-s3-anomalousbehavior-write) | Amazon S3 | CloudTrail data events for S3 | Medium | | [Impact:S3/MaliciousIPCaller](guardduty_finding-types-s3.md#impact-s3-maliciousipcaller) | Amazon S3 | CloudTrail data events for S3 | High | | [PenTest:S3/KaliLinux](guardduty_finding-types-s3.md#pentest-s3-kalilinux) | Amazon S3 | CloudTrail data events for S3 | Medium | | [PenTest:S3/ParrotLinux](guardduty_finding-types-s3.md#pentest-s3-parrotlinux) | Amazon S3 | CloudTrail data events for S3 | Medium | | [PenTest:S3/PentooLinux](guardduty_finding-types-s3.md#pentest-s3-pentoolinux) | Amazon S3 | CloudTrail data events for S3 | Medium | | [UnauthorizedAccess:S3/TorIPCaller](guardduty_finding-types-s3.md#unauthorizedaccess-s3-toripcaller) | Amazon S3 | CloudTrail data events for S3 | High | | [UnauthorizedAccess:S3/MaliciousIPCaller.Custom](guardduty_finding-types-s3.md#unauthorizedaccess-s3-maliciousipcallercustom) | Amazon S3 | CloudTrail data events for S3 | High | | [CredentialAccess:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#credentialaccess-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium | | [CredentialAccess:IAMUser/CompromisedCredentials](guardduty_finding-types-iam.md#credentialaccess-iam-compromisedcredentials) | IAM | CloudTrail management events or CloudTrail data events for S3 | High | | [DefenseEvasion:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#defenseevasion-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium | | [DefenseEvasion:IAMUser/BedrockLoggingDisabled](guardduty_finding-types-iam.md#defenseevasion-iam-bedrockloggingdisabled) | IAM | CloudTrail management events | Medium | | [Discovery:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#discovery-iam-anomalousbehavior) | IAM | CloudTrail management events | Low | | [Exfiltration:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#exfiltration-iam-anomalousbehavior) | IAM | CloudTrail management events | High | | [Impact:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#impact-iam-anomalousbehavior) | IAM | CloudTrail management events | High | | [InitialAccess:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#initialaccess-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium | | [PenTest:IAMUser/KaliLinux](guardduty_finding-types-iam.md#pentest-iam-kalilinux) | IAM | CloudTrail management events | Medium | | [PenTest:IAMUser/ParrotLinux](guardduty_finding-types-iam.md#pentest-iam-parrotlinux) | IAM | CloudTrail management events | Medium | | [PenTest:IAMUser/PentooLinux](guardduty_finding-types-iam.md#pentest-iam-pentoolinux) | IAM | CloudTrail management events | Medium | | [Persistence:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#persistence-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium | | [Stealth:IAMUser/PasswordPolicyChange](guardduty_finding-types-iam.md#stealth-iam-passwordpolicychange) | IAM | CloudTrail management events | Low[*](#gdu-active-findings-variable-severity) | | [UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS](guardduty_finding-types-iam.md#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) | IAM | CloudTrail management events | High[*](#gdu-active-findings-variable-severity) | | [Policy:S3/AccountBlockPublicAccessDisabled](guardduty_finding-types-s3.md#policy-s3-accountblockpublicaccessdisabled) | Amazon S3 | CloudTrail management events | Low | | [Policy:S3/BucketAnonymousAccessGranted](guardduty_finding-types-s3.md#policy-s3-bucketanonymousaccessgranted) | Amazon S3 | CloudTrail management events | High | | [Policy:S3/BucketBlockPublicAccessDisabled](guardduty_finding-types-s3.md#policy-s3-bucketblockpublicaccessdisabled) | Amazon S3 | CloudTrail management events | Low | | [Policy:S3/BucketPublicAccessGranted](guardduty_finding-types-s3.md#policy-s3-bucketpublicaccessgranted) | Amazon S3 | CloudTrail management events | High | | [PrivilegeEscalation:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#privilegeescalation-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium | | [Recon:IAMUser/MaliciousIPCaller](guardduty_finding-types-iam.md#recon-iam-maliciousipcaller) | IAM | CloudTrail management events | Medium | | [Recon:IAMUser/MaliciousIPCaller.Custom](guardduty_finding-types-iam.md#recon-iam-maliciousipcallercustom) | IAM | CloudTrail management events | Medium | | [Recon:IAMUser/TorIPCaller](guardduty_finding-types-iam.md#recon-iam-toripcaller) | IAM | CloudTrail management events | Medium | | [Stealth:IAMUser/CloudTrailLoggingDisabled](guardduty_finding-types-iam.md#stealth-iam-cloudtrailloggingdisabled) | IAM | CloudTrail management events | Low | | [Stealth:S3/ServerAccessLoggingDisabled](guardduty_finding-types-s3.md#stealth-s3-serveraccessloggingdisabled) | Amazon S3 | CloudTrail management events | Low | | [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B](guardduty_finding-types-iam.md#unauthorizedaccess-iam-consoleloginsuccessb) | IAM | CloudTrail management events | Medium | | [UnauthorizedAccess:IAMUser/MaliciousIPCaller](guardduty_finding-types-iam.md#unauthorizedaccess-iam-maliciousipcaller) | IAM | CloudTrail management events | Medium | | [UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom](guardduty_finding-types-iam.md#unauthorizedaccess-iam-maliciousipcallercustom) | IAM | CloudTrail management events | Medium | | [UnauthorizedAccess:IAMUser/TorIPCaller](guardduty_finding-types-iam.md#unauthorizedaccess-iam-toripcaller) | IAM | CloudTrail management events | Medium | | [Policy:IAMUser/RootCredentialUsage](guardduty_finding-types-iam.md#policy-iam-rootcredentialusage) | IAM | CloudTrail management events or CloudTrail data events for S3 | Low | | [Policy:IAMUser/ShortTermRootCredentialUsage](guardduty_finding-types-iam.md#policy-iam-user-short-term-root-credential-usage) | IAM | CloudTrail management events or CloudTrail data events for S3 | Low | | [UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS](guardduty_finding-types-iam.md#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) | IAM | CloudTrail management events or CloudTrail data events for S3 | High | | [UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS](guardduty_finding-types-iam.md#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws) | IAM | CloudTrail management events or CloudTrail data events for S3 | High | | [AttackSequence:EKS/CompromisedCluster](guardduty-attack-sequence-finding-types.md#attack-sequence-eks-compromised-cluster) | Resources involved in attack sequence | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) | Critical | | [AttackSequence:IAM/CompromisedCredentials](guardduty-attack-sequence-finding-types.md#attack-sequence-iam-compromised-credentials) | Resources involved in attack sequence | CloudTrail management events | Critical | | [AttackSequence:S3/CompromisedData](guardduty-attack-sequence-finding-types.md#attack-sequence-s3-compromised-data) | Resources involved in attack sequence | CloudTrail management events and CloudTrail data events for S3 | Critical | | [AttackSequence:ECS/CompromisedCluster](guardduty-attack-sequence-finding-types.md#attack-sequence-ecs-compromised-cluster) | Resources involved in attack sequence | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) | Critical | | [AttackSequence:EC2/CompromisedInstanceGroup](guardduty-attack-sequence-finding-types.md#attack-sequence-ec2-compromised-instance-group) | Resources involved in attack sequence | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) | Critical | | [Backdoor:EC2/C&CActivity.B\$1DNS](guardduty_finding-types-ec2.md#backdoor-ec2-ccactivitybdns) | Amazon EC2 | DNS logs | High | | [CryptoCurrency:EC2/BitcoinTool.B\$1DNS](guardduty_finding-types-ec2.md#cryptocurrency-ec2-bitcointoolbdns) | Amazon EC2 | DNS logs | High | | [Impact:EC2/AbusedDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-abuseddomainrequestreputation) | Amazon EC2 | DNS logs | Medium | | [Impact:EC2/BitcoinDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-bitcoindomainrequestreputation) | Amazon EC2 | DNS logs | High | | [Impact:EC2/MaliciousDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-maliciousdomainrequestreputation) | Amazon EC2 | DNS logs | High | | [Impact:EC2/SuspiciousDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-suspiciousdomainrequestreputation) | Amazon EC2 | DNS logs | Low | | [Trojan:EC2/BlackholeTraffic\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-blackholetrafficdns) | Amazon EC2 | DNS logs | Medium | | [Trojan:EC2/DGADomainRequest.B](guardduty_finding-types-ec2.md#trojan-ec2-dgadomainrequestb) | Amazon EC2 | DNS logs | High | | [Trojan:EC2/DGADomainRequest.C\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-dgadomainrequestcdns) | Amazon EC2 | DNS logs | High | | [Trojan:EC2/DNSDataExfiltration](guardduty_finding-types-ec2.md#trojan-ec2-dnsdataexfiltration) | Amazon EC2 | DNS logs | High | | [Trojan:EC2/DriveBySourceTraffic\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-drivebysourcetrafficdns) | Amazon EC2 | DNS logs | High | | [Trojan:EC2/DropPoint\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-droppointdns) | Amazon EC2 | DNS logs | Medium | | [Trojan:EC2/PhishingDomainRequest\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-phishingdomainrequestdns) | Amazon EC2 | DNS logs | High | | [UnauthorizedAccess:EC2/MetadataDNSRebind](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-metadatadnsrebind) | Amazon EC2 | DNS logs | High | | [Execution:Container/MaliciousFile](findings-malware-protection.md#execution-malware-container-maliciousfile) | Container | EBS Malware Protection | Varies depending on the detected threat | | [Execution:Container/SuspiciousFile](findings-malware-protection.md#execution-malware-container-suspiciousfile) | Container | EBS Malware Protection | Varies depending on the detected threat | | [Execution:EC2/MaliciousFile](findings-malware-protection.md#execution-malware-ec2-maliciousfile) | Amazon EC2 | EBS Malware Protection | Varies depending on the detected threat | | [Execution:EC2/SuspiciousFile](findings-malware-protection.md#execution-malware-ec2-suspiciousfile) | Amazon EC2 | EBS Malware Protection | Varies depending on the detected threat | | [Execution:ECS/MaliciousFile](findings-malware-protection.md#execution-malware-ecs-maliciousfile) | ECS | EBS Malware Protection | Varies depending on the detected threat | | [Execution:ECS/SuspiciousFile](findings-malware-protection.md#execution-malware-ecs-suspiciousfile) | ECS | EBS Malware Protection | Varies depending on the detected threat | | [Execution:Kubernetes/MaliciousFile](findings-malware-protection.md#execution-malware-kubernetes-maliciousfile) | Kubernetes | EBS Malware Protection | Varies depending on the detected threat | | [Execution:Kubernetes/SuspiciousFile](findings-malware-protection.md#execution-malware-kubernetes-suspiciousfile) | Kubernetes | EBS Malware Protection | Varies depending on the detected threat | | [Execution:EC2/MaliciousFile\$1Snapshot](findings-malware-protection-backup.md#execution-malware-ec2-maliciousfile-snapshot) | Amazon EBS | Malware Protection for Backup | Varies depending on the detected threat | | [Execution:EC2/MaliciousFile\$1AMIA malicious file has been detected in an EC2 AMI.](findings-malware-protection-backup.md#execution-malware-ec2-maliciousfile-ami) | Amazon EC2 | Malware Protection for Backup | Varies depending on the detected threat | | [Execution:EC2/MaliciousFile\$1RecoveryPoint](findings-malware-protection-backup.md#execution-malware-ec2-maliciousfile-recoverypoint) | AWS Backup | Malware Protection for Backup | Varies depending on the detected threat | | [Execution:S3/MaliciousFile\$1RecoveryPoint](findings-malware-protection-backup.md#execution-malware-s3-maliciousfile-recoverypoint) | AWS Backup | Malware Protection for Backup | Varies depending on the detected threat | | [CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed](guardduty-finding-types-eks-audit-logs.md#credaccess-kubernetes-anomalousbehavior-secretsaccessed) | Kubernetes | EKS audit logs | Medium | | [CredentialAccess:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | High | | [CredentialAccess:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | High | | [CredentialAccess:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High | | [CredentialAccess:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-toripcaller) | Kubernetes | EKS audit logs | High | | [DefenseEvasion:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | High | | [DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | High | | [DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High | | [DefenseEvasion:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-toripcaller) | Kubernetes | EKS audit logs | High | | [Discovery:Kubernetes/AnomalousBehavior.PermissionChecked](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-anomalousbehavrior-permissionchecked) | Kubernetes | EKS audit logs | Low | | [Discovery:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | Medium | | [Discovery:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | Medium | | [Discovery:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | Medium | | [Discovery:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-toripcaller) | Kubernetes | EKS audit logs | Medium | | [Execution:Kubernetes/ExecInKubeSystemPod](guardduty-finding-types-eks-audit-logs.md#execution-kubernetes-execinkubesystempod) | Kubernetes | EKS audit logs | Medium | | [Execution:Kubernetes/AnomalousBehavior.ExecInPod](guardduty-finding-types-eks-audit-logs.md#execution-kubernetes-anomalousbehvaior-execinprod) | Kubernetes | EKS audit logs | Medium | | [Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed](guardduty-finding-types-eks-audit-logs.md#exec-kubernetes-anomalousbehavior-workloaddeployed) | Kubernetes | EKS audit logs | Low | | [Impact:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | High | | [Impact:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | High | | [Impact:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High | | [Impact:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-toripcaller) | Kubernetes | EKS audit logs | High | | [Persistence:Kubernetes/ContainerWithSensitiveMount](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-containerwithsensitivemount) | Kubernetes | EKS audit logs | Medium | | [Persistence:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | Medium | | [Persistence:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | Medium | | [Persistence:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High | | [Persistence:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-toripcaller) | Kubernetes | EKS audit logs | Medium | | [Policy:Kubernetes/AdminAccessToDefaultServiceAccount](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-adminaccesstodefaultserviceaccount) | Kubernetes | EKS audit logs | High | | [Policy:Kubernetes/AnonymousAccessGranted](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-anonymousaccessgranted) | Kubernetes | EKS audit logs | High | | [Policy:Kubernetes/KubeflowDashboardExposed](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-kubeflowdashboardexposed) | Kubernetes | EKS audit logs | Medium | | [Policy:Kubernetes/ExposedDashboard](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-exposeddashboard) | Kubernetes | EKS audit logs | Medium | | [PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-rolebindingcreated) | Kubernetes | EKS audit logs | Medium[*](#gdu-active-findings-variable-severity) | | [PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-rolecreated) | Kubernetes | EKS audit logs | Low | | [Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1ContainerWithSensitiveMount](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount) | Kubernetes | EKS audit logs | High | | [PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1PrivilegedContainer](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer) | Kubernetes | EKS audit logs | High | | [PrivilegeEscalation:Kubernetes/PrivilegedContainer](guardduty-finding-types-eks-audit-logs.md#privilegeescalation-kubernetes-privilegedcontainer) | Kubernetes | EKS audit logs | Medium | | [Backdoor:Lambda/C&CActivity.B](lambda-protection-finding-types.md#backdoor-lambda-ccactivity-b) | Lambda | Lambda Network Activity Monitoring | High | | [CryptoCurrency:Lambda/BitcoinTool.B](lambda-protection-finding-types.md#cryptocurrency-lambda-bitcointool-b) | Lambda | Lambda Network Activity Monitoring | High | | [Trojan:Lambda/BlackholeTraffic](lambda-protection-finding-types.md#trojan-lambda-blackhole-traffic) | Lambda | Lambda Network Activity Monitoring | Medium | | [Trojan:Lambda/DropPoint](lambda-protection-finding-types.md#trojan-lambda-drop-point) | Lambda | Lambda Network Activity Monitoring | Medium | | [UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom](lambda-protection-finding-types.md#unauthorized-access-lambda-maliciousIPcaller-custom) | Lambda | Lambda Network Activity Monitoring | Medium | | [UnauthorizedAccess:Lambda/TorClient](lambda-protection-finding-types.md#unauthorized-access-lambda-tor-client) | Lambda | Lambda Network Activity Monitoring | High | | [UnauthorizedAccess:Lambda/TorRelay](lambda-protection-finding-types.md#unauthorized-access-lambda-tor-relay) | Lambda | Lambda Network Activity Monitoring | High | | [Object:S3/MaliciousFile](gdu-malware-protection-s3-finding-types.md#s3-object-s3-malicious-file) | S3Object | Malware Protection for S3 | High | | [CredentialAccess:RDS/AnomalousBehavior.FailedLogin](findings-rds-protection.md#credaccess-rds-anombehavior-failedlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Low | | [CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce](findings-rds-protection.md#credaccess-rds-anombehavior-successfulbruteforce) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | High | | [CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin](findings-rds-protection.md#credaccess-rds-anombehavior-successlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Variable[*](#gdu-active-findings-variable-severity) | | [CredentialAccess:RDS/MaliciousIPCaller.FailedLogin](findings-rds-protection.md#credaccess-rds-maliciousipcaller-failedlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium | | [CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin](findings-rds-protection.md#credaccess-rds-maliciousipcaller-successfullogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | High | | [CredentialAccess:RDS/TorIPCaller.FailedLogin](findings-rds-protection.md#credaccess-rds-toripcaller-failedlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium | | [CredentialAccess:RDS/TorIPCaller.SuccessfulLogin](findings-rds-protection.md#credaccess-rds-toripcaller-successfullogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | High | | [Discovery:RDS/MaliciousIPCaller](findings-rds-protection.md#discovery-rds-maliciousipcaller) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium | | [Discovery:RDS/TorIPCaller](findings-rds-protection.md#discovery-rds-toripcaller) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium | | [Backdoor:Runtime/C&CActivity.B](findings-runtime-monitoring.md#backdoor-runtime-ccactivityb) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Backdoor:Runtime/C&CActivity.B\$1DNS](findings-runtime-monitoring.md#backdoor-runtime-ccactivitybdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [CryptoCurrency:Runtime/BitcoinTool.B](findings-runtime-monitoring.md#cryptocurrency-runtime-bitcointoolb) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [CryptoCurrency:Runtime/BitcoinTool.B\$1DNS](findings-runtime-monitoring.md#cryptocurrency-runtime-bitcointoolbdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [DefenseEvasion:Runtime/FilelessExecution](findings-runtime-monitoring.md#defenseeva-runtime-filelessexecution) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [DefenseEvasion:Runtime/KernelModuleLoaded](findings-runtime-monitoring.md#defenseevasion-runtime-kernelmoduleloaded) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [DefenseEvasion:Runtime/ProcessInjection.Proc](findings-runtime-monitoring.md#defenseeva-runtime-processinjectionproc) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [DefenseEvasion:Runtime/ProcessInjection.Ptrace](findings-runtime-monitoring.md#defenseeva-runtime-processinjectionptrace) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite](findings-runtime-monitoring.md#defenseeva-runtime-processinjectionvirtualmemw) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [DefenseEvasion:Runtime/PtraceAntiDebugging](findings-runtime-monitoring.md#defenseevasion-runtime-ptrace-anti-debug) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low | | [DefenseEvasion:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#defenseevasion-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Discovery:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#discovery-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low | | [Execution:Runtime/MaliciousFileExecuted](findings-runtime-monitoring.md#execution-runtime-malicious-file-executed) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Execution:Runtime/NewBinaryExecuted](findings-runtime-monitoring.md#execution-runtime-newbinaryexecuted) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Execution:Runtime/NewLibraryLoaded](findings-runtime-monitoring.md#execution-runtime-newlibraryloaded) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Execution:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#execution-runtime-suspiciouscommand) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Variable | | [Execution:Runtime/SuspiciousShellCreated](findings-runtime-monitoring.md#execution-runtime-suspicious-shell-created) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low | | [Execution:Runtime/SuspiciousTool](findings-runtime-monitoring.md#execution-runtime-suspicioustool) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Variable | | [Execution:Runtime/ReverseShell](findings-runtime-monitoring.md#execution-runtime-reverseshell) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Impact:Runtime/AbusedDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-abuseddomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Impact:Runtime/BitcoinDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-bitcoindomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Impact:Runtime/CryptoMinerExecuted](findings-runtime-monitoring.md#impact-runtime-cryptominerexecuted) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Impact:Runtime/MaliciousDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-maliciousdomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Impact:Runtime/SuspiciousDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-suspiciousdomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low | | [Persistence:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#persistence-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified](findings-runtime-monitoring.md#privilegeesc-runtime-cgroupsreleaseagentmodified) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [PrivilegeEscalation:Runtime/ContainerMountsHostDirectory](findings-runtime-monitoring.md#privilegeescalation-runtime-containermountshostdirectory) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [PrivilegeEscalation:Runtime/DockerSocketAccessed](findings-runtime-monitoring.md#privilegeesc-runtime-dockersocketaccessed) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [PrivilegeEscalation:Runtime/ElevationToRoot](findings-runtime-monitoring.md#privilegeesc-runtime-elevation-to-root) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [PrivilegeEscalation:Runtime/RuncContainerEscape](findings-runtime-monitoring.md#privilegeesc-runtime-runccontainerescape) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [PrivilegeEscalation:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#privilege-escalation-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [PrivilegeEscalation:Runtime/UserfaultfdUsage](findings-runtime-monitoring.md#privilegeescalation-runtime-userfaultfdusage) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Trojan:Runtime/BlackholeTraffic](findings-runtime-monitoring.md#trojan-runtime-blackholetraffic) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Trojan:Runtime/BlackholeTraffic\$1DNS](findings-runtime-monitoring.md#trojan-runtime-blackholetrafficdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Trojan:Runtime/DropPoint](findings-runtime-monitoring.md#trojan-runtime-droppoint) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Trojan:Runtime/DGADomainRequest.C\$1DNS](findings-runtime-monitoring.md#trojan-runtime-dgadomainrequestcdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Trojan:Runtime/DriveBySourceTraffic\$1DNS](findings-runtime-monitoring.md#trojan-runtime-drivebysourcetrafficdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Trojan:Runtime/DropPoint\$1DNS](findings-runtime-monitoring.md#trojan-runtime-droppointdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium | | [Trojan:Runtime/PhishingDomainRequest\$1DNS](findings-runtime-monitoring.md#trojan-runtime-phishingdomainrequestdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [UnauthorizedAccess:Runtime/MetadataDNSRebind](findings-runtime-monitoring.md#unauthorizedaccess-runtime-metadatadnsrebind) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [UnauthorizedAccess:Runtime/TorClient](findings-runtime-monitoring.md#unauthorizedaccess-runtime-torclient) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [UnauthorizedAccess:Runtime/TorRelay](findings-runtime-monitoring.md#unauthorizedaccess-runtime-torrelay) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High | | [Backdoor:EC2/C&CActivity.B](guardduty_finding-types-ec2.md#backdoor-ec2-ccactivityb) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Backdoor:EC2/DenialOfService.Dns](guardduty_finding-types-ec2.md#backdoor-ec2-denialofservicedns) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Backdoor:EC2/DenialOfService.Tcp](guardduty_finding-types-ec2.md#backdoor-ec2-denialofservicetcp) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Backdoor:EC2/DenialOfService.Udp](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceudp) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Backdoor:EC2/DenialOfService.UdpOnTcpPorts](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceudpontcpports) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Backdoor:EC2/DenialOfService.UnusualProtocol](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceunusualprotocol) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Backdoor:EC2/Spambot](guardduty_finding-types-ec2.md#backdoor-ec2-spambot) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [Behavior:EC2/NetworkPortUnusual](guardduty_finding-types-ec2.md#behavior-ec2-networkportunusual) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [Behavior:EC2/TrafficVolumeUnusual](guardduty_finding-types-ec2.md#behavior-ec2-trafficvolumeunusual) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [CryptoCurrency:EC2/BitcoinTool.B](guardduty_finding-types-ec2.md#cryptocurrency-ec2-bitcointoolb) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [DefenseEvasion:EC2/UnusualDNSResolver](guardduty_finding-types-ec2.md#defenseevasion-ec2-unusualdnsresolver) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [DefenseEvasion:EC2/UnusualDoHActivity](guardduty_finding-types-ec2.md#defenseevasion-ec2-unsualdohactivity) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [DefenseEvasion:EC2/UnusualDoTActivity](guardduty_finding-types-ec2.md#defenseevasion-ec2-unusualdotactivity) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [Impact:EC2/PortSweep](guardduty_finding-types-ec2.md#impact-ec2-portsweep) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Impact:EC2/WinRMBruteForce](guardduty_finding-types-ec2.md#impact-ec2-winrmbruteforce) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) | | [Recon:EC2/PortProbeEMRUnprotectedPort](guardduty_finding-types-ec2.md#recon-ec2-portprobeemrunprotectedport) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [Recon:EC2/PortProbeUnprotectedPort](guardduty_finding-types-ec2.md#recon-ec2-portprobeunprotectedport) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) | | [Recon:EC2/Portscan](guardduty_finding-types-ec2.md#recon-ec2-portscan) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [Trojan:EC2/BlackholeTraffic](guardduty_finding-types-ec2.md#trojan-ec2-blackholetraffic) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [Trojan:EC2/DropPoint](guardduty_finding-types-ec2.md#trojan-ec2-droppoint) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-maliciousipcallercustom) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium | | [UnauthorizedAccess:EC2/RDPBruteForce](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-rdpbruteforce) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) | | [UnauthorizedAccess:EC2/SSHBruteForce](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-sshbruteforce) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) | | [UnauthorizedAccess:EC2/TorClient](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-torclient) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High | | [UnauthorizedAccess:EC2/TorRelay](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-torrelay) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |