<  Back to rules search

AWS EC2 instance communicating with a cryptocurrency server

guardduty

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an EC2 instance is communicating with a cryptocurrency server

Strategy

This rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:

Triage and response

  1. Determine which domain name or IP address triggered the signal. This can be found in the samples.
  2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.

Changelog

  • 1 November 2022 - Updated links.