<  Back to rules search

AWS EC2 instance communicating with a cryptocurrency server

guardduty

Classification:

attack

Tactic:

Technique:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an EC2 instance is communicating with a cryptocurrency server

Strategy

This rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:

Triage and response

  1. Determine which domain name or IP address triggered the signal. This can be found in the samples.
  2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.