AWS guardduty documentation change
Summary
Enhanced reverse shell finding description with detection context and remediation guidance
Security assessment
Improves documentation about security detection capabilities by adding context for reverse shell findings and linking remediation guidance
Diff
diff --git a/guardduty/latest/ug/findings-runtime-monitoring.md b/guardduty/latest/ug/findings-runtime-monitoring.md index ad69db82d..2a52ceaf4 100644 --- a/guardduty/latest/ug/findings-runtime-monitoring.md +++ b/guardduty/latest/ug/findings-runtime-monitoring.md @@ -674 +674,3 @@ If this activity is unexpected, your resource type might have been compromised. -A reverse shell is a shell session created on a connection that is initiated from the target host to the actor's host. This is opposite to a normal shell that is initiated from the actor's host to the target's host. Threat actors create a reverse shell to execute commands on the target after gaining initial access to the target. This finding identifies a potential attempt to create a reverse shell. +A reverse shell is a shell session created on a connection that is initiated from the target host to the actor's host. This is opposite to a normal shell that is initiated from the actor's host to the target's host. Threat actors create a reverse shell to execute commands on the target after gaining initial access to the target. This finding identifies potentially suspicious reverse shell connections. + +GuardDuty examines related runtime activity and context, and generates this finding type only when the associated activity and context are found to be unusual or suspicious. @@ -678 +680 @@ A reverse shell is a shell session created on a connection that is initiated fro -If this activity is unexpected, your resource type might have been compromised. +The GuardDuty security agent monitors events from multiple sources. To identify the impacted resource, view **Resource type** in the finding details in the GuardDuty console. If this activity is unexpected, your resource type might have been compromised. For more information, see [Remediating Runtime Monitoring findings](./guardduty-remediate-runtime-monitoring.html).