Created
June 21, 2022 09:59
-
-
Save costasko/fd1fddcdc8134d8d1cada2bf47224f11 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Findings": [ | |
| { | |
| "AccountId": "123456789012", | |
| "Arn": "arn:aws:guardduty:eu-west-1:123456789012:detector/60c0c2ceb4979145c04e0c3aeff92e63/finding/e4c0c2ced9a702278fda8239b173d802", | |
| "CreatedAt": "2022-06-21T09:35:13.742Z", | |
| "Description": "EC2 instance i-99999999 is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware.", | |
| "Id": "e4c0c2ced9a702278fda8239b173d802", | |
| "Partition": "aws", | |
| "Region": "eu-west-1", | |
| "Resource": { | |
| "InstanceDetails": { | |
| "AvailabilityZone": "GeneratedFindingInstaceAvailabilityZone", | |
| "IamInstanceProfile": { | |
| "Arn": "arn:aws:iam::123456789012:example/instance/profile", | |
| "Id": "GeneratedFindingInstanceProfileId" | |
| }, | |
| "ImageDescription": "GeneratedFindingInstaceImageDescription", | |
| "ImageId": "ami-99999999", | |
| "InstanceId": "i-99999999", | |
| "InstanceState": "running", | |
| "InstanceType": "m3.xlarge", | |
| "OutpostArn": "arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3", | |
| "LaunchTime": "2016-11-12T23:25:58.000Z", | |
| "NetworkInterfaces": [ | |
| { | |
| "Ipv6Addresses": [], | |
| "NetworkInterfaceId": "eni-bfcffe88", | |
| "PrivateDnsName": "GeneratedFindingPrivateDnsName", | |
| "PrivateIpAddress": "10.0.0.1", | |
| "PrivateIpAddresses": [ | |
| { | |
| "PrivateDnsName": "GeneratedFindingPrivateName", | |
| "PrivateIpAddress": "10.0.0.1" | |
| } | |
| ], | |
| "PublicDnsName": "GeneratedFindingPublicDNSName", | |
| "PublicIp": "198.51.100.0", | |
| "SecurityGroups": [ | |
| { | |
| "GroupId": "GeneratedFindingSecurityId", | |
| "GroupName": "GeneratedFindingSecurityGroupName" | |
| } | |
| ], | |
| "SubnetId": "GeneratedFindingSubnetId", | |
| "VpcId": "GeneratedFindingVPCId" | |
| } | |
| ], | |
| "ProductCodes": [ | |
| {} | |
| ], | |
| "Tags": [ | |
| { | |
| "Key": "GeneratedFindingInstaceTag1", | |
| "Value": "GeneratedFindingInstaceValue1" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag2", | |
| "Value": "GeneratedFindingInstaceTagValue2" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag3", | |
| "Value": "GeneratedFindingInstaceTagValue3" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag4", | |
| "Value": "GeneratedFindingInstaceTagValue4" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag5", | |
| "Value": "GeneratedFindingInstaceTagValue5" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag6", | |
| "Value": "GeneratedFindingInstaceTagValue6" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag7", | |
| "Value": "GeneratedFindingInstaceTagValue7" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag8", | |
| "Value": "GeneratedFindingInstaceTagValue8" | |
| }, | |
| { | |
| "Key": "GeneratedFindingInstaceTag9", | |
| "Value": "GeneratedFindingInstaceTagValue9" | |
| } | |
| ] | |
| }, | |
| "ResourceType": "Instance" | |
| }, | |
| "SchemaVersion": "2.0", | |
| "Service": { | |
| "Action": { | |
| "ActionType": "DNS_REQUEST", | |
| "DnsRequestAction": { | |
| "Domain": "GeneratedFindingDomainName" | |
| } | |
| }, | |
| "Evidence": { | |
| "ThreatIntelligenceDetails": [ | |
| { | |
| "ThreatListName": "GeneratedFindingThreatListName", | |
| "ThreatNames": [ | |
| "GeneratedFindingThreatName" | |
| ] | |
| } | |
| ] | |
| }, | |
| "Archived": false, | |
| "Count": 1, | |
| "DetectorId": "60c0c2ceb4979145c04e0c3aeff92e63", | |
| "EventFirstSeen": "2022-06-21T09:35:13.000Z", | |
| "EventLastSeen": "2022-06-21T09:35:13.000Z", | |
| "ResourceRole": "TARGET", | |
| "ServiceName": "guardduty" | |
| }, | |
| "Severity": 5, | |
| "Title": "Drop Point domain name queried by EC2 instance i-99999999.", | |
| "Type": "Trojan:EC2/DropPoint!DNS", | |
| "UpdatedAt": "2022-06-21T09:35:13.742Z" | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{ "Findings": [ { "AccountId": "123456789012", "Arn": "arn:aws:guardduty:eu-west-1:123456789012:detector/60c0c2ceb4979145c04e0c3aeff92e63/finding/dac0c2ced9a2c0bc0ef07404f9e9ca3a", "CreatedAt": "2022-06-21T09:35:13.733Z", "Description": "EC2 instance i-99999999 is attempting to query domain names that resemble exfiltrated data. This could be an indication of a compromised instance.", "Id": "dac0c2ced9a2c0bc0ef07404f9e9ca3a", "Partition": "aws", "Region": "eu-west-1", "Resource": { "InstanceDetails": { "AvailabilityZone": "GeneratedFindingInstaceAvailabilityZone", "IamInstanceProfile": { "Arn": "arn:aws:iam::123456789012:example/instance/profile", "Id": "GeneratedFindingInstanceProfileId" }, "ImageDescription": "GeneratedFindingInstaceImageDescription", "ImageId": "ami-99999999", "InstanceId": "i-99999999", "InstanceState": "running", "InstanceType": "t2.small", "OutpostArn": "arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3", "LaunchTime": "2017-01-25T13:25:34.000Z", "NetworkInterfaces": [ { "Ipv6Addresses": [], "NetworkInterfaceId": "eni-bfcffe88", "PrivateDnsName": "GeneratedFindingPrivateDnsName", "PrivateIpAddress": "10.0.0.1", "PrivateIpAddresses": [ { "PrivateDnsName": "GeneratedFindingPrivateName", "PrivateIpAddress": "10.0.0.1" } ], "PublicDnsName": "GeneratedFindingPublicDNSName", "PublicIp": "198.51.100.0", "SecurityGroups": [ { "GroupId": "GeneratedFindingSecurityId", "GroupName": "GeneratedFindingSecurityGroupName" } ], "SubnetId": "GeneratedFindingSubnetId", "VpcId": "GeneratedFindingVPCId" } ], "ProductCodes": [ {} ], "Tags": [ { "Key": "GeneratedFindingInstaceTag1", "Value": "GeneratedFindingInstaceValue1" }, { "Key": "GeneratedFindingInstaceTag2", "Value": "GeneratedFindingInstaceTagValue2" }, { "Key": "GeneratedFindingInstaceTag3", "Value": "GeneratedFindingInstaceTagValue3" }, { "Key": "GeneratedFindingInstaceTag4", "Value": "GeneratedFindingInstaceTagValue4" }, { "Key": "GeneratedFindingInstaceTag5", "Value": "GeneratedFindingInstaceTagValue5" }, { "Key": "GeneratedFindingInstaceTag6", "Value": "GeneratedFindingInstaceTagValue6" }, { "Key": "GeneratedFindingInstaceTag7", "Value": "GeneratedFindingInstaceTagValue7" }, { "Key": "GeneratedFindingInstaceTag8", "Value": "GeneratedFindingInstaceTagValue8" }, { "Key": "GeneratedFindingInstaceTag9", "Value": "GeneratedFindingInstaceTagValue9" } ] }, "ResourceType": "Instance" }, "SchemaVersion": "2.0", "Service": { "Action": { "ActionType": "DNS_REQUEST", "DnsRequestAction": { "Domain": "GeneratedFindingAdditionalDomainName" } }, "Archived": false, "Count": 1, "DetectorId": "60c0c2ceb4979145c04e0c3aeff92e63", "EventFirstSeen": "2022-06-21T09:35:13.000Z", "EventLastSeen": "2022-06-21T09:35:13.000Z", "ResourceRole": "ACTOR", "ServiceName": "guardduty" }, "Severity": 8, "Title": "Data exfiltration through DNS queries from EC2 instance i-99999999.", "Type": "Trojan:EC2/DNSDataExfiltration", "UpdatedAt": "2022-06-21T09:35:13.733Z" } ] }