|
|
|
|
|
Step into the world of real-world cybercrime investigations!
Persistence:
Adversaries/attackers are trying to remain inside your system even after you remove them.
After the attacker gains access, they may try to keep their access alive for a long time adding access keys, backdoor users, or modifying startup scripts. then try to find or exfiltrate sensitive data
Attack :
Guard duty detected a finding in AWS and triggered an alert.
Persistence: IAMUser/AnomalousBehavior
The IAM user is behaving more suspiciously than usual—maybe trying to stay logged in longer, access services not used before, or use unusual regions.
If guard duty detects a finding, it generates an alert in the AWS GuardDuty console as a finding ID.
Defense:
Generally, an attacker is trying to maintain long-term access to a compromised AWS environment. That means user credentials were logged in without the actual user's knowledge.
Attackers keep sessions longer; hence, to find this, check the start and end times of the activity.
If the same user activity, deviating from the general baseline activity, is observed repeatedly or unusual activity with an updated end time is seen, we can suspect persistence.
Kindly check for any threat or alert detections on the user account.
These could also be benign true positive, or false positive alerts.
Hence, check the logs of the user's previous activities. If no threat indication or alerts are present, the user can be treated as risk-less. Check the historical logs; if the same API access is observed from the user, the alert can be closed.
It is important to investigate the AWS logs for the reason why GuardDuty detected a threat.
Need to check with the team managing AWS for access information, or with the user, to easily classify and triage this activity.
If compromise identified or its not user activity
We need to revoke sessions, reset access keys, and rotate passwords for the user
We also need to strengthen security rules for initial access, such as implementing MFA or a 2FA mechanism.
Payload Explanation:
{"schemaVersion":"2.0","accountId":"123456789012","region":"us-east-1","partition":"aws","id":"abcd1234-5678-90ab-cdef-EXAMPLE11111","arn":"arn:aws:guardduty:us-east-1:123456789012:detector/12abc34d567e8f9012g3h456789i012j/finding/abcd1234-5678-90ab-cdef-EXAMPLE11111","type":"Persistence:IAMUser/AnomalousBehavior","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"AKIAEXAMPLE","principalId":"AIDAEXAMPLE","userType":"IAMUser","userName":"example-user"},"instanceDetails":null},"service":{"serviceName":"guardduty","detectorId":"12abc34d567e8f9012g3h456789i012j","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"ListBuckets","serviceName":"s3.amazonaws.com","callerType":"remote IP","remoteIpDetails":{"ipAddressV4":"203.0.113.42","organization":{"asn":"64512","asnOrg":"EXAMPLE ISP","isp":"EXAMPLE ISP","org":"EXAMPLE ORG"},"country":{"countryName":"Russia"},"city":{"cityName":"Moscow"},"geoLocation":{"lat":55.7558,"lon":37.6173}},"userAgent":"aws-sdk-java/1.11.100","domainDetails":{"domain":"s3.amazonaws.com"},"additionalInfo":{"anomalousApi":"ListBuckets","apiCount":37,""apiUsedByUser":"GetObject,PutObject,CreateBucket,DeleteBucket","unusualServiceAccess":"S3","userAccessPatterns":"This user typically accesses EC2, but is now accessing S3","unusualCountryAccess":"true"}}},"eventFirstSeen":"2025-06-07T00:00:00Z","eventLastSeen":"2025-06-07T00:05:00Z","archived":false,"count":1},"severity":5,"title":"IAM user is exhibiting anomalous behavior","description":"An IAM user has accessed services in an unexpected way, including API calls not normally used and from a geolocation not previously associated with this user. This could indicate credential compromise or attacker persistence."}
Lets discuss on payload
Some other findings on AWS GuardDuty are mentioned below.
Persistence: ResourcePermission/ Bitcoin Tool.B
Persistence: EC2/SSHBruteForceSuccess
Execution :
Adversaries/ Attacker run malicious code on target system, this is one of the most important tactic.
It's a calm Tuesday evening. Asritha is sipping her tea due to a headache caused by the alerts.she received a call from another analyst that critical alerts were triggered. She ran, leaving her tea aside, and assigned the incident.
Finding : Execution: EC2 Instance - Tor client / Backdoor:EC2/TorClient
These findings are in the execution phase because they are occurring from the instance.
This finding shows that guard duty detected a Tor client running on an EC2 instance.
Attack:
Someone might launch code, or an adversary compromised the instance during delivery
Delivery of malicious payloads can be through various means, such as phishing emails opened immediately, drive-by download attacks, and PUPs, which are accessed inside the EC2 instances.
hence the delivery got sucessful and that lead to tor client execution on instance
Or some user want to conduct scanning, red team activity, or simulations to test the guard duty's detection capabilities on the instance.
This basically identified when the Tor client was running on the instance.
Defense:
kindly check with the user whether the user is having privileges to do this activity and whether this is begnin activitiy or not
kindly recommend to isolate the instance or stop the instance on immediate affect
identify the process or tor client remove from the instance
Kindly terminate the machine if this is not a legitimate activity. If a remote or public IP address is found, then block the remote IP address.
If any backup snapshots can be restored to avoid service disruption.
Kindly recommend to temporarily disable the IAM account
Payload explanation:
{"schemaVersion":"2.0","accountId":"123456789012","region":"ap-south-1","partition":"aws","id":"abcd1234efgh5678ijkl9012mnop3456","arn":"arn:aws:guardduty:ap-south-1:123456789012:detector/12ab34cd5678e9012fgh34ij56kl78mn/finding/abcd1234efgh5678ijkl9012mnop3456","type":"Execution:EC2/TorClient","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-0ab12cd3456ef7890","instanceType":"t3.medium","platform":"Linux","launchTime":"2025-06-03T08:24:16Z","networkInterfaces":[{"networkInterfaceId":"eni-abc123def456","privateIpAddress":"10.0.1.5","subnetId":"subnet-xyz890123","vpcId":"vpc-11223344"}]}},"severity":7.5,"createdAt":"2025-06-03T10:45:12Z","updatedAt":"2025-06-03T10:45:12Z","title":"EC2 Instance is running a Tor client","description":"EC2 instance i-0ab12cd3456ef7890 in region ap-south-1 is running a Tor client, which can be used for anonymized command and control communications.","service":{"serviceName":"guardduty","detectorId":"12ab34cd5678e9012fgh34ij56kl78mn","action":{"actionType":"EXECUTION","runtimeDetails":{"processName":"tor","processId":4321,"filePath":"/usr/bin/tor"}},"resourceRole":"TARGET"},"confidence":95,"findingProviderFields":{"threatPurpose":"EXECUTION","name":"Execution:EC2/TorClient","description":"The EC2 instance is running a Tor client executable, often used by attackers to mask command and control traffic.","severityLabel":"HIGH"}}
The above activity was detected as a finding by AWS GuardDuty because EC2 instance i-0ab12cd3456ef7890 in AWS account 123456789012 is running a Tor client. This client connects to the Tor network. The process name is "tor," and its location is /usr/bin/tor. Please follow the defense steps mentioned above.
Like wise we get several execution finding ID's
Some of them are mentioned below for reference :
Execution:EC2/Backdoor:EC2/SSHBruteForce :
If multiple SSH connection attempts are detected from any EC2 instance, indicating a possible malicious brute-force attack on any resource or IP network, then GuardDuty detects this or similar findings.
Execution: EC2/BitcoinTool.B! DNS:
If any application or process detected on EC2 attempting DNS queries related to Bitcoin mining, then GuardDuty detects this or similar findings.
Execution:EC2/CommandAndControl:EC2/Beacon:
If any EC2 instance is beaconing or communicates with to an external server, usually a result of command execution (also C2). then GuardDuty detects this or similar findings.
similar kind of activites which initiates from the instances fall under execution phase
Tshark - TShark is the command-line version of Wireshark
It performs similar network packet capture and analysis functions but without a graphical user interface. It is widely used for network monitoring, troubleshooting, and security analysis, especially in environments where a GUI is not available.
Examples :
Capture packets on an interface:
tshark -i eth0
Capture and display only HTTP traffic:
tshark -i eth0 -f "tcp port 80"
Capture packets and save to a file:
tshark -i eth0 -w capture.pcap
Display DNS queries:
tshark -i eth0 -Y "dns"
Output capture to JSON format:
tshark -i eth0 -T json
Key Options:
-i -> interface selection : Specifies the network interface to capture packets
Example: tshark -i eth0
-D -> Get list of interfaces : we get output , that you get all list of interfaces
Example: tshark -D
-f -> capture filter : Specifies a filter for the packets captured at the interface level.
Example : tshark -i eth0 -f "tcp port 80"
-Y -> display filter : Filters the packets after capture (similar to Wireshark's display filters).
Example : tshark -i eth0 -Y "http"
-w -> write output to the file: Writes the captured packets to a file in PCAP format, which can be opened later in Wireshark.
Example : tshark -i eth0 -w capture.pcap
For More Info: https://www.securitymanadhey.com/p/tshark-tshark-is-command-line-version.html
In the Windows operating system, the nslookup command is used to query DNS records.
For example, to query the DNS A record for a domain, use the following command:
nslookup -type=A domainname
nslookup -type=A securitymanadhey.com
This command produces output:
Server: reliance.reliance (this is ISP connection)
Address: 2405:201:c00b:3a31::c0a8:1d01(the IP address of the Reliance DNS resolver)
Non-authoritative answer:
Name: securitymanadhey.com(domain)
Addresses:
15.197.225.128 (IPV4 of the domain)
3.33.251.168(IPV4 of the domain)
Details:
Server: Displays the name and IP address of the DNS resolver used for the query.( this DNS resolver provided by your Internet Service Provider(ISP))
Non-authoritative answer: Indicates that the response came from a DNS server that is not the authoritative server for the domain.
Name: Shows the queried domain name.
Addresses: Lists the IP addresses associated with the domain (IPv4 in this example).
By default, your device uses the DNS resolver provided by your Internet Service Provider (ISP) unless you configure it to use a custom DNS server.
If you configure your device to use custom DNS servers (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1), the output would display those instead in the Server and Address fields.
Zone files are plain text files that store information about a specific domain's DNS configuration. They are part of the Domain Name System (DNS) and are maintained by authoritative DNS servers. Each zone file contains DNS records that define the mappings and properties for a domain and its subdomains.
Key Components of zone file are A ,AAAA,NS,CNAME,MX,TXT,SOA and other records.
Imagine if every time you wanted to call a friend, you had to remember their exact 10-digit phone number. The internet would be similarly frustrating if we had to remember IP addresses for every website we wanted to visit! This is where the Domain Name System (DNS) comes in, acting as the "phone book" of the internet. DNS lets us use friendly domain names (like “www.miusecurity.blogspot.com”) instead of remembering a long string of numbers.
When you type a website address in your browser, DNS resolves the IP address for that domain. Think of DNS as the bridge between people and computers, translating easy-to-remember names into IP addresses that computers need to communicate.
Here's how DNS works,
Types of DNS Servers
DNS Record Types
DNS records are the data that DNS servers return when a query is made. Here are some common record types:
DNS Query Types
DNS Caching
DNS Security Concerns:
DNS is vulnerable to various attacks:
