<  Back to rules search

AWS EC2 instance communicating with a cryptocurrency server






Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

WARNING: This rule is being deprecated on 6 March 2023.


Detect when an EC2 instance is communicating with a cryptocurrency server


This rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:

Triage and response

  1. Determine which domain name or IP address triggered the signal. This can be found in the samples.
  2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.


  • 1 November 2022 - Updated links.