Execution :
Adversaries/ Attacker run malicious code on target system, this is one of the most important tactic.
It's a calm Tuesday evening. Asritha is sipping her tea due to a headache caused by the alerts.she received a call from another analyst that critical alerts were triggered. She ran, leaving her tea aside, and assigned the incident.
Finding : Execution: EC2 Instance - Tor client / Backdoor:EC2/TorClient
These findings are in the execution phase because they are occurring from the instance.
This finding shows that guard duty detected a Tor client running on an EC2 instance.
Attack:
Someone might launch code, or an adversary compromised the instance during delivery
Delivery of malicious payloads can be through various means, such as phishing emails opened immediately, drive-by download attacks, and PUPs, which are accessed inside the EC2 instances.
hence the delivery got sucessful and that lead to tor client execution on instance
Or some user want to conduct scanning, red team activity, or simulations to test the guard duty's detection capabilities on the instance.
This basically identified when the Tor client was running on the instance.
Defense:
kindly check with the user whether the user is having privileges to do this activity and whether this is begnin activitiy or not
kindly recommend to isolate the instance or stop the instance on immediate affect
identify the process or tor client remove from the instance
Kindly terminate the machine if this is not a legitimate activity. If a remote or public IP address is found, then block the remote IP address.
If any backup snapshots can be restored to avoid service disruption.
Kindly recommend to temporarily disable the IAM account
Payload explanation:
{"schemaVersion":"2.0","accountId":"123456789012","region":"ap-south-1","partition":"aws","id":"abcd1234efgh5678ijkl9012mnop3456","arn":"arn:aws:guardduty:ap-south-1:123456789012:detector/12ab34cd5678e9012fgh34ij56kl78mn/finding/abcd1234efgh5678ijkl9012mnop3456","type":"Execution:EC2/TorClient","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-0ab12cd3456ef7890","instanceType":"t3.medium","platform":"Linux","launchTime":"2025-06-03T08:24:16Z","networkInterfaces":[{"networkInterfaceId":"eni-abc123def456","privateIpAddress":"10.0.1.5","subnetId":"subnet-xyz890123","vpcId":"vpc-11223344"}]}},"severity":7.5,"createdAt":"2025-06-03T10:45:12Z","updatedAt":"2025-06-03T10:45:12Z","title":"EC2 Instance is running a Tor client","description":"EC2 instance i-0ab12cd3456ef7890 in region ap-south-1 is running a Tor client, which can be used for anonymized command and control communications.","service":{"serviceName":"guardduty","detectorId":"12ab34cd5678e9012fgh34ij56kl78mn","action":{"actionType":"EXECUTION","runtimeDetails":{"processName":"tor","processId":4321,"filePath":"/usr/bin/tor"}},"resourceRole":"TARGET"},"confidence":95,"findingProviderFields":{"threatPurpose":"EXECUTION","name":"Execution:EC2/TorClient","description":"The EC2 instance is running a Tor client executable, often used by attackers to mask command and control traffic.","severityLabel":"HIGH"}}
The above activity was detected as a finding by AWS GuardDuty because EC2 instance i-0ab12cd3456ef7890 in AWS account 123456789012 is running a Tor client. This client connects to the Tor network. The process name is "tor," and its location is /usr/bin/tor. Please follow the defense steps mentioned above.
Like wise we get several execution finding ID's
Some of them are mentioned below for reference :
Execution:EC2/Backdoor:EC2/SSHBruteForce :
If multiple SSH connection attempts are detected from any EC2 instance, indicating a possible malicious brute-force attack on any resource or IP network, then GuardDuty detects this or similar findings.
Execution: EC2/BitcoinTool.B! DNS:
If any application or process detected on EC2 attempting DNS queries related to Bitcoin mining, then GuardDuty detects this or similar findings.
Execution:EC2/CommandAndControl:EC2/Beacon:
If any EC2 instance is beaconing or communicates with to an external server, usually a result of command execution (also C2). then GuardDuty detects this or similar findings.
similar kind of activites which initiates from the instances fall under execution phase
