AWS guardduty medium security documentation change
Summary
Added new finding type 'Impact:EC2/MaliciousDomainRequest.Custom' with documentation about detecting domain queries from custom threat lists
Security assessment
Introduces documentation for a new security finding type that detects EC2 instances querying domains from custom threat lists. This directly relates to security monitoring capabilities and provides remediation guidance for potential compromises. The change demonstrates enhanced detection capabilities using custom threat intelligence.
Diff
diff --git a/guardduty/latest/ug/guardduty_finding-types-ec2.md b/guardduty/latest/ug/guardduty_finding-types-ec2.md index a92fa4c2a..46be48fb2 100644 --- a//guardduty/latest/ug/guardduty_finding-types-ec2.md +++ b//guardduty/latest/ug/guardduty_finding-types-ec2.md @@ -5 +5 @@ -Backdoor:EC2/C&CActivity.BBackdoor:EC2/C&CActivity.B!DNSBackdoor:EC2/DenialOfService.DnsBackdoor:EC2/DenialOfService.TcpBackdoor:EC2/DenialOfService.UdpBackdoor:EC2/DenialOfService.UdpOnTcpPortsBackdoor:EC2/DenialOfService.UnusualProtocolBackdoor:EC2/SpambotBehavior:EC2/NetworkPortUnusualBehavior:EC2/TrafficVolumeUnusualCryptoCurrency:EC2/BitcoinTool.BCryptoCurrency:EC2/BitcoinTool.B!DNSDefenseEvasion:EC2/UnusualDNSResolverDefenseEvasion:EC2/UnusualDoHActivityDefenseEvasion:EC2/UnusualDoTActivityImpact:EC2/AbusedDomainRequest.ReputationImpact:EC2/BitcoinDomainRequest.ReputationImpact:EC2/MaliciousDomainRequest.ReputationImpact:EC2/PortSweepImpact:EC2/SuspiciousDomainRequest.ReputationImpact:EC2/WinRMBruteForceRecon:EC2/PortProbeEMRUnprotectedPortRecon:EC2/PortProbeUnprotectedPortRecon:EC2/PortscanTrojan:EC2/BlackholeTrafficTrojan:EC2/BlackholeTraffic!DNSTrojan:EC2/DGADomainRequest.BTrojan:EC2/DGADomainRequest.C!DNSTrojan:EC2/DNSDataExfiltrationTrojan:EC2/DriveBySourceTraffic!DNSTrojan:EC2/DropPointTrojan:EC2/DropPoint!DNSTrojan:EC2/PhishingDomainRequest!DNSUnauthorizedAccess:EC2/MaliciousIPCaller.CustomUnauthorizedAccess:EC2/MetadataDNSRebindUnauthorizedAccess:EC2/RDPBruteForceUnauthorizedAccess:EC2/SSHBruteForceUnauthorizedAccess:EC2/TorClientUnauthorizedAccess:EC2/TorRelay +Backdoor:EC2/C&CActivity.BBackdoor:EC2/C&CActivity.B!DNSBackdoor:EC2/DenialOfService.DnsBackdoor:EC2/DenialOfService.TcpBackdoor:EC2/DenialOfService.UdpBackdoor:EC2/DenialOfService.UdpOnTcpPortsBackdoor:EC2/DenialOfService.UnusualProtocolBackdoor:EC2/SpambotBehavior:EC2/NetworkPortUnusualBehavior:EC2/TrafficVolumeUnusualCryptoCurrency:EC2/BitcoinTool.BCryptoCurrency:EC2/BitcoinTool.B!DNSDefenseEvasion:EC2/UnusualDNSResolverDefenseEvasion:EC2/UnusualDoHActivityDefenseEvasion:EC2/UnusualDoTActivityImpact:EC2/AbusedDomainRequest.ReputationImpact:EC2/BitcoinDomainRequest.ReputationImpact:EC2/MaliciousDomainRequest.ReputationImpact:EC2/MaliciousDomainRequest.CustomImpact:EC2/PortSweepImpact:EC2/SuspiciousDomainRequest.ReputationImpact:EC2/WinRMBruteForceRecon:EC2/PortProbeEMRUnprotectedPortRecon:EC2/PortProbeUnprotectedPortRecon:EC2/PortscanTrojan:EC2/BlackholeTrafficTrojan:EC2/BlackholeTraffic!DNSTrojan:EC2/DGADomainRequest.BTrojan:EC2/DGADomainRequest.C!DNSTrojan:EC2/DNSDataExfiltrationTrojan:EC2/DriveBySourceTraffic!DNSTrojan:EC2/DropPointTrojan:EC2/DropPoint!DNSTrojan:EC2/PhishingDomainRequest!DNSUnauthorizedAccess:EC2/MaliciousIPCaller.CustomUnauthorizedAccess:EC2/MetadataDNSRebindUnauthorizedAccess:EC2/RDPBruteForceUnauthorizedAccess:EC2/SSHBruteForceUnauthorizedAccess:EC2/TorClientUnauthorizedAccess:EC2/TorRelay @@ -61,0 +62,2 @@ For all EC2 findings, it is recommended that you examine the resource in questio + * Impact:EC2/MaliciousDomainRequest.Custom + @@ -479,0 +482,17 @@ If this activity is unexpected, your instance may be compromised. For more infor +## Impact:EC2/MaliciousDomainRequest.Custom + +### An EC2 instance is querying a domain on a custom threat entity list. + +**Default severity: Medium** + + * **Data source:** DNS logs + + + + +This finding informs you that the listed Amazon EC2 instance within your AWS environment is querying a domain name that is included in threat entity list that you uploaded and activated. In GuardDuty, a threat entity list consists of known malicious domain names and IP addresses. GuardDuty generates findings based on the activity associated with the uploaded threat entity list. You can view name of the threat entity list in the finding details. + +**Remediation recommendations:** + +If this activity is unexpected, your instance may be compromised. For more information, see [Remediating a potentially compromised Amazon EC2 instance](./compromised-ec2.html). +