Reconnaissance
Some guard duty findings types related to reconnaissance are below.
AWS GuardDuty detects a wide range of suspicious or malicious activity in your AWS environment using threat intelligence. Generally, it monitors CloudTrail and VPC logs and detects suspicious activities as findings. The findings will be as mentioned below.
Finding types:
Recon:EC2/PortProbeUnprotectedPort
Recon:EC2/PortScan
Recon:EC2/PortProbeUnprotectedPort
Recon:EC2/PortProbeEC2Instance
Recon:EC2/NetworkReachability
Recon:S3/MaliciousIPCaller
Recon:IAMUser/MaliciousIPCaller
Recon:EC2/HostDiscovery
Recon:EC2/TorConnection
Recon:EC2/UnusualTrafficPattern
Recon:EC2/PortScan
Recon:EC2/PortProbeUnprotectedPort
Recon:EC2/PortProbeEC2Instance
Recon:EC2/NetworkReachability
Recon:S3/MaliciousIPCaller
Recon:IAMUser/MaliciousIPCaller
Recon:EC2/HostDiscovery
Recon:EC2/TorConnection
Recon:EC2/UnusualTrafficPattern
Findings:
On the AWS GuardDuty console, all findings listed are security alerts or detected threats..
Each finding includes:
Title :(e.g.,Recon:EC2/PortProbeUnprotectedPort")
Description : Finding Descriptions.
Severity (Low, Medium, High)
Resource affected (EC2, IAM user, S3, etc.)
Threat type (like UnauthorizedAccess, Recon, Trojan, etc.)
Time detected
Recommendation
Lets discuss on one of the finding.
1.Recon:EC2/PortProbeUnprotectedPort
This finding indicates that an external source is probing an Amazon EC2 instance for open and unprotected ports. Attackers often conduct reconnaissance by scanning for vulnerabilities before launching an attack, such as exploiting misconfigured security groups or outdated services.
This event is detected when multiple connection attempts to an EC2 instance from different IP addresses
An external entity is scanning an EC2 instance for open ports that are unprotected, potentially identifying vulnerabilities for exploitation.
Attack:
An external entity is scanning an EC2 instance for open ports that are unprotected potentially identifying vulnerabilities for exploitation.
Defense:
As guard duty generates its findings, they will be visible on SIEM and as well as Guard duty console.
or AWS management consoles.
SOC analysts should act on these finding IDs and escalate or raise incidents to the incident response team. This will be handled by the infrastructure team, which manages the AWS cloud..
Restrict:
Restrict security group rules on aws cloud trail, enable AWS WAF.
Block the remote IP address on the AWS NACL
For this finding, type the events you will observe as below.
Sample log and explanation:
Event Payload( this is Json format)
{ "schemaVersion": "2.0", "accountld": "123456789012", "region": "us- east-1", "id": "abcdef1234567890", "arn": "arn:aws:guardduty:us- east-1:123456789012:detector/abcdef1234567890/finding/abcdef".
"type": "Recon:EC2/PortProbeUnprotectedPort", "service": {
"serviceName": "guardduty", "eventFirstSeen": "2022-12-
13T17:47:40Z", "eventLastSeen": "2022-12-13T17:47:40Z", "count": 4.
"action": {"action Type": "PORT_PROBE", "portProbeAction": {
"portProbeDetails": [("localPortDetails": ("port": 22345. "protocol":
"TCP"}, "remotelp Details": { "ipAddressV4": "223.252.36.77" }}. (
"localPortDetails": ("port": 23231, "protocol": "TCP"}.
"remotelp Details": ("ipAddressV4": "223.252.36.77")). (
"localPortDetails": {"port": 24500, "protocol": "TCP"}.
"remotelp Details": {"ipAddressV4": "223.252.36.77"}). (
"localPortDetails": ("port": 24500, "protocol": "TCP").
"remotelp Details": {"ipAddressV4": "223.252.36.77"}}]}}}.
"resource": ("instanceDetails": {"instanceld": "i-
Oabc1234de56789fg", "instanceType": "t2.micro", "privatelpAddress"
"10.10.15.32", "securityGroups": [{ "groupld": "sg-
abcdef1234567890", "group Name": "default"}]}}. "severity": 5.0,
"createdAt": "2022-12-13T17:47:40Z", "updatedAt": "2022-12-
13T17:47:40Z", "title": "EC2 Instance Port Scanning Detected". "description": "An external IP address (223.252.36.77) has attempted to scan multiple ports (22345, 23231, 24500) on an EC2 instance (10.10.15.32) in your AWS account.", "remediation": "Restrict access to the exposed ports using security groups or Network ACLs."
Payload Explanation:
This finding was detected when port scanning occurred on EC2 instances. The description highlights that an external IP address attempted a port scan on the EC2 instance over ports 22345, 23231, 24500, and multiple others.
Please check the resource details, including instance details and the allocated IP address for that instance. Attackers targeted that instance.
This particular finding indicates that scans occurred on resource "instanceId": "i-0abc1234de56789fg".
You can also find the security group associated with an EC2 instance. Security groups act like virtual firewalls and control inbound and outbound traffic to and from the instance based on rules which are defined by team who manages AWS
These rules specify what kind of traffic is allowed, based on protocols, ports, and source/destination IP addresses
AWS Guardduty also detects threat severity and include in payload
"severity": 5
Severity is usually a value between 0 to 8, categorized as:
Low (1–3)
Medium (4–6)
High (7–8)
As the severity is 5.0, which falls in medium.
First seen :
The first time GuardDuty detected this specific behavior or pattern related to the finding.
Helps indicate when the suspicious activity started.
Last seen :
The most recent time GuardDuty observed this behaviour and tells that how recent the activity is and whether it's still ongoing.
These timestamps help to determine whether it is a one-time activity or a persistent activity.
if the gap of first seen and last seen is large
then it may be persistence or recurring threat.
