AWS amazon_guardduty Mappings

The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. Behavior:EC2/TrafficVolumeUnusual Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller

GuardDuty findings including UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B can aid in detection of this technique.

The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. Behavior:EC2/TrafficVolumeUnusual Accuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.

The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents. Behavior:EC2/TrafficVolumeUnusual Accuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.

The following GuardDuty finding types reflect flagged events where there is an attempt to get a list of services running on a remote host. Recon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Impact:EC2/PortSweep

The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel. Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual

The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual

The GuardDuty finding Impact:IAMUser/AnomalousBehavior can aid in the detection of abuse of AWS APIs.

GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Trojan:EC2/DropPoint!DNS Trojan:EC2/DropPoint Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS

GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation

GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation

GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation

GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation

GuardDuty implements a finding that flags occurrences unattended behavior from an IAM User in the Account. PenTest:IAMUser/KaliLinux, PenTest:IAMUser/ParrotLinux, PenTest:IAMUser/PentooLinux, Policy:IAMUser/RootCredentialUsage, PrivilegeEscalation:IAMUser/AdministrativePermissions, UnauthorizedAccess:IAMUser/ConsoleLogin, UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B, UnauthorizedAccess:IAMUser/MaliciousIPCaller, UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/TorIPCaller, Policy:S3/AccountBlockPublicAccessDisabled, Policy:S3/BucketAnonymousAccessGranted, Policy:S3/BucketBlockPublicAccessDisabled, Policy:S3/BucketPublicAccessGranted, CredentialAccess:IAMUser/AnomalousBehavior, DefenseEvasion:IAMUser/AnomalousBehavior, Discovery:IAMUser/AnomalousBehavior, Exfiltration:IAMUser/AnomalousBehavior, Impact:IAMUser/AnomalousBehavior, Persistence:IAMUser/AnomalousBehavior, Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration

Listed findings above flag instances where there are indications of account compromise.

Listed findings above flag instances where there are indications of account compromise.

The following GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. UnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.

The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.

The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.

The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.

GuardDuty has a finding types that flag events where an adversary may have compromised an AWS IAM User. Finding Type: Persistence:IAMUser/AnomalousBehavior

The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.

The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.

Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords. Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.

Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.

Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.

Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.

There is a GuardDuty Finding that flags this behavior: Trojan:EC2/DriveBySourceTraffic!DNS

There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource). UnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage.

The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Impact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux

The following GuardDuty finding type flags events where adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. Impact:S3/MaliciousIPCaller Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux

GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial.

The following finding types can be used to detect behavior that can lead to the defacement of cloud resources: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller

The following finding types can be used to detect behavior that can lead to the defacement of cloud resources: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller

The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. CryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay

The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns

The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns

The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns

GuardDuty flags events where there is an attempt to discover information about resources. GuardDuty monitors for potential threats and suspicious behavior to discover information about cloud services.

The following GuardDuty finding types flag events where adversaries may have access data objects from improperly secured cloud storage. UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller

The following GuardDuty Finding type flags events where adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Impact:IAMUser/AnomalousBehavior

This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.

The following finding types in Amazon GuardDuty can be used to identify potentially malicious interactions with S3 which may lead to the compromise of any credential files stored in S3: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller The score is capped at Partial since the findings only apply to credential files stored within S3 buckets and only certain types of suspicious behaviors.

The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type flags attempts to run AWS API operations from a host outside of EC2 using temporary AWS credentials that were created on an EC2 instance in your AWS environment. This may indicate that the temporary credentials have been compromised. Score is capped at Minimal because external use is required for detection.

GuardDuty flags the following finding type DefenseEvasion:IAMUser/AnomalousBehavior as a defense evasion technique. It looks for API calls that delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging. The following Finding types are examples: Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled

The following GuardDuty findings provide indicators of malicious activity in defense measures: Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller

The following GuardDuty findings provide indicators of malicious activity in defense measures: Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller

The following GuardDuty findings provide indicators of malicious activity in defense measures: Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller "Amazon GuardDuty is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in GuardDuty."

The following GuardDuty finding type flags events where adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. Impact:S3/MaliciousIPCaller

The Impact:S3/MaliciousIPCaller finding type is looking for API calls commonly associated with Impact tactic of techniques where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment.

GuardDuty implements a finding type that flags/alerts when an EC2 service queries a Domain known to be tied to a phishing attack. Trojan:EC2/PhishingDomainRequest!DNS

The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.

The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.

The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.

The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual

The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual

The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual

The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual

The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual

GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations. Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS

GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations. Trojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS

GuardDuty has the following finding type to flag events where adversaries may communicate using a protocol and port paring that are typically not associated. Behavior:EC2/NetworkPortUnusual

The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems. Discovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux

Documentation states that the Service can flag such attempts: Reconnaissance -- Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP. Note: This is from the perspective of the resource running in the AWS account. Meaning GuardDuty has several finding types that flag events that take place via a resource (e.g., EC2, IAM, S3).

There are a few finding types offered by GuardDuty that flag this behavior: Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep.

There are finding types that show when an EC2 instance is probing other AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep

The GuardDuty finding Discovery:IAMUser/AnomalousBehavior can be used to detect this technique.

Amazon GuardDuty finding DefenseEvasion:Runtime/PtraceAntiDebugging can aid in the detection of a specific type of Debugger Evasion.

Amazon GuardDuty finding AttackSequence:IAM/CompromisedCredentials can aid in the detection of compromised credentials.