AWS EC2 instance communicated with a malicious server

Classification:

attack

Set up the guardduty integration.

Overview

Goal

Detect when an EC2 instance is communicating with a malicious server.

Strategy

This rule lets you monitor these GuardDuty integration findings:

• Backdoor:EC2/C&CActivity.B!DNS
• Trojan:EC2/BlackholeTraffic
• Trojan:EC2/DropPoint
• Trojan:EC2/BlackholeTraffic!DNS
• Trojan:EC2/DriveBySourceTraffic!DNS
• Trojan:EC2/DropPoint!DNS
• Trojan:EC2/DGADomainRequest.B
• Trojan:EC2/DGADomainRequest.C!DNS
• Trojan:EC2/DNSDataExfiltration
• Trojan:EC2/PhishingDomainRequest!DNS

Triage & Response

1. Determine which domain name or IP address triggered the signal. This can be found in the samples.
2. If the instance is compromised:
   • Review the AWS documentation on remediating a compromised EC2 instance.