search

awslabs / amazon-guardduty-tester

This repository can be used to generate and evaluate findings detected by Amazon GuardDuty
Apache License 2.0
338 stars 130 forks source link

Unable to generate Recon:EC2/PortProbeUnprotectedPort findings #16

Closed anskrish closed 1 year ago

anskrish commented 3 years ago

Hi Team,

I have setup the environment which you suggested in README file and ran the script but unable to generate portprobe alerts.

here is the script output

*****************************************************************************************************
Expected GuardDuty Findings

Test 1: Internal Port Scanning
Expected Finding: EC2 Instance  i-05  is performing outbound port scans against remote host. 172.1
Finding Type: Recon:EC2/Portscan

Test 2: SSH Brute Force with Compromised Keys
Expecting two findings - one for the outbound and one for the inbound detection
Outbound:  i-0  is performing SSH brute force attacks against  172.xxxx
Inbound:  172.xxxxxx is performing SSH brute force attacks against  i-07ad
Finding Type: UnauthorizedAccess:EC2/SSHBruteForce

Test 3: RDP Brute Force with Password List
Expecting two findings - one for the outbound and one for the inbound detection
Outbound:  i-056 is performing RDP brute force attacks against  17xxxxxx
Inbound:  17xxxxxxx  is performing RDP brute force attacks against  i-005c71xxxx
Finding Type : UnauthorizedAccess:EC2/RDPBruteForce

Test 4: Cryptocurrency Activity
Expected Finding: EC2 Instance  i-05615xxx is querying a domain name that is associated with bitcoin activity
Finding Type : CryptoCurrency:EC2/BitcoinTool.B!DNS

Test 5: DNS Exfiltration
Expected Finding: EC2 instance  i-05615089xxx  is attempting to query domain names that resemble exfiltrated data
Finding Type : Backdoor:EC2/DNSDataExfiltration

Test 6: C&C Activity
Expected Finding: EC2 instance  i-05615089=xxxx1  is querying a domain name associated with a known Command & Control server. 
Finding Type : Backdoor:EC2/C&CActivity.B!DNS

[ec2-user@ip-17xxxxx ~]$

When I checked the script, I did not see the command to do this. https://github.com/awslabs/amazon-guardduty-tester/blob/master/guardduty_tester.sh#L20

Please suggest how to generate portprobe alert

mmshaikh88 commented 3 years ago

We would like to generate the Port Probe Alerts for some testing and needs a way to be able to generate them as and when we want to run our tests.

ryanholland commented 3 years ago

Recon:EC2/PortProbeUnprotectedPort findings require that the source IP probing the open port is a known malicious IP so it cannot be generated using the test script.

scottbward commented 1 year ago

Closing this issue as the tester will not be modified to cover this use case.