search

awslabs / amazon-guardduty-tester

This repository can be used to generate and evaluate findings detected by Amazon GuardDuty
Apache License 2.0
338 stars 130 forks source link

Some findings haven't appeared for over an hour #3

Closed bgeesaman closed 6 years ago

bgeesaman commented 6 years ago
Severity Finding Type Instance Last Count
High UnauthorizedAccess:EC2/RDPBruteForce Instance: I-0e074acf904a90a45 an hour ago 1
Low UnauthorizedAccess:EC2/RDPBruteForce Instance: i-0a726a2dd140c4458 an hour ago 1
Medium Recon:EC2/Portscan Instance: i-0e074acf904a90a45 an hour ago 1
High UnauthorizedAccess:EC2/SSHBruteForce Instance: i-0e074acf904a90a45 an hour ago 1
Low UnauthorizedAccess:EC2/SSHBruteForce Instance: i-0b95fbcf4a9d4d2a6 an hour ago 1

I was expecting to see these by now:

Test 4: Cryptocurrency Activity
Expected Finding: EC2 Instance  i-0e074acf904a90a45  is querying a domain name that is associated with bitcoin activity
Finding Type : CryptoCurrency:EC2/BitcoinTool.B!DNS

Test 5: DNS Exfiltration
Expected Finding: EC2 instance  i-0e074acf904a90a45  is attempting to query domain names that resemble exfiltrated data
Finding Type : Backdoor:EC2/DNSDataExfiltration

Test 6: C&C Activity
Expected Finding: EC2 instance  i-0e074acf904a90a45  is querying a domain name associated with a known Command & Control server. 
Finding Type : Backdoor:EC2/C&CActivity.B!DNS

I've run Tests 4 through 6 several times, but nothing has shown up.

Also, I uploaded an ip.txt to a bucket with the contents of:

4.2.2.2
8.8.8.8

And attempting to reach them via icmp and several ports to trigger the threat list finding.

Am I missing something?

bgeesaman commented 6 years ago

After seeing this: https://www.slideshare.net/AmazonWebServices/guardduty-handson-lab I see now that these findings may be a part of the behavioral detection which takes 7-14 days to create a baseline for. The threat list hits, though, seem odd that they aren't signature based.

bgeesaman commented 6 years ago

Whoa, ok. So, I just got this after roughly 90 mins:

Severity Finding Type Instance Last Count
High Trojan:EC2/DNSDataExfiltration Instance: I-0e074acf904a90a45 2 hours ago 3

And a few mins later:

Severity Finding Type Instance Last Count
Medium CryptoCurrency:EC2/BitcoinTool.B!DNS Instance: i-0e074acf904a90a45 2 hours ago 2
bgeesaman commented 6 years ago

So, after a good amount of delay in my case, all of them eventually appeared. Thanks again for this lab!