New to Amazon GuardDuty – Malware Detection for Amazon EBS Volumes

Amazon cloud technology developer community Provide developers with global development technology resources. There are technical documents, development cases, technical columns, training videos, activities and competitions, etc. Help Chinese developers connect with the world's most cutting-edge technologies, ideas, and projects, and recommend outstanding Chinese developers or technologies to the global cloud community. If you haven't paid attention/favorite yet, please don't rush over when you see this, click here Make it your technology treasure trove!

with the help of Amazon GuardDuty , you can monitor your AWS accounts and workloads to detect malicious activity. We recently added the ability to detect malware to GuardDuty. Malware is used to compromise workloads, repurpose resources, or gain unauthorized access to data. After enabling GuardDuty malware protection, when GuardDuty has detected suspicious actions being taken by one of your EC2 instances or container workloads running on EC2 , a malware scan starts. For example, malware scans are triggered when an EC2 instance communicates with a command and control server that is known to be malicious, or when a denial-of-service (DoS) or brute-force attack is being performed against another EC2 instance.

GuardDuty Supports many filesystem types , which scans for file formats known to spread or contain malware, including Windows and Linux executables, PDF files, archives, binaries, scripts, installers, email databases, and regular email.

Once potential malware is identified, actionable security findings are generated that include information such as the threat and file name, file path, EC2 instance ID, resource tags, and (in the case of containers) the container ID and container image used. GuardDuty supports container workloads running on EC2, including customer-managed Kubernetes cluster or individual Docker container . If the container consists of Amazon Elastic Kubernetes Service (EKS) or Amazon Elastic Container Service (Amazon ECS) management, the findings also include the cluster name and Task or pod ID, so application security teams can quickly find affected container resources.

Like all other GuardDuty findings, malware detections are sent to the GuardDuty console via Amazon EventBridge push, route to AWS Security Hub , then in Amazon Detective available for incident investigation.

++How GuardDuty Malware Protection Works++

After enabling malware protection, you will set up a An Amazon Identity and Access Management (IAM) service-linked role that grants GuardDuty permissions to perform malware scans . When a malware scan is initiated on an EC2 instance, GuardDuty Malware Protection uses these permissions to capture additional Amazon Elastic Block Store (EBS) Volume snapshot, then in the same Amazon regions Restore EBS volumes in an Amazon service account within your account to scan them for malware. You can use tags to include or exclude EC2 instances from these permissions and scans. This way, you don't need to deploy security software or agents to monitor for malware, and scanning volumes doesn't impact running workloads. After the scan is complete, the EBS volume in the service account and the snapshot in your account will be deleted. Alternatively, you can keep snapshots when malware is detected.

The service-linked role grants GuardDuty access to the Amazon Key Management Service (Amazon KMS) The permissions of the key. If the EBS volume attached to the potentially compromised EC2 instance is encrypted with a customer-managed key, GuardDuty Malware Protection will also use the same key to encrypt the replica EBS volume. If these volumes are not encrypted, GuardDuty will use its own key to encrypt the replica EBS volumes and ensure privacy. Volumes encrypted with EBS-managed keys are not supported.

Security in the cloud is between you and Amazon shared responsibility . As a defense mechanism, GuardDuty Malware Protection uses service-linked roles that have the GuardDutyExcluded label and cannot perform any actions on your resources such as EBS snapshots and volumes, EC2 instances, and KMS keys. After marking snapshots with GuardDutyExcluded set to true , the GuardDuty service will not be able to access those snapshots. The GuardDutyExclud tag supersedes any include flags. Permissions also restrict how GuardDuty can modify snapshots so that they cannot be made public when shared with the GuardDuty service account.

EBS volumes created by GuardDuty are always encrypted. GuardDuty can only use KMS keys on EBS snapshots that have a GuardDuty scan ID tag. GuardDuty adds scan ID tags when creating snapshots after EC2 detections. Not available from any other service other than Amazon EBS the context Invoke the KMS key shared with the GuardDuty service account. After the scan completes successfully, the KMS key grant is revoked and the copy of the volume in the GuardDuty service account is deleted, ensuring that the GuardDuty service cannot access your data after the scan operation is complete.

++Enable Malware Protection for Amazon Account++

If you are not already using GuardDuty, malware protection is enabled by default when you activate GuardDuty for your account. I'm already using GuardDuty, so I need to enable malware protection from the console. If you are using Amazon Organizations ,Your Proxy administrator account This feature can be enabled for existing member accounts and configure whether new Amazon accounts in the organization should be automatically registered.

In the GuardDuty console, I select Malware Protection under Settings in the navigation pane. From there, I select Enable, and then select Enable Malware Protection.

Screenshots are automatically deleted after scanning. In the General settings, I have the option to keep screenshots of malware detections in my Amazon account and use them for further analysis.

In Scan options, I can configure a list of included tags to only scan EC2 instances with those tags, or exclude tags so that EC2 instances with tags in the list are skipped.

++Test malware protection GuardDuty detection results++

To generate several Amazon GuardDuty detections, including the new malware protection detections, I cloned the Amazon GuardDuty Tester repository:

$ git clone https://github.com/awslabs/amazon-guardduty-tester

First, I use the guardduty-tester.template file to create a Amazon CloudFormation stack. Once the stack is ready, I follow the instructions to configure the SSH client to log into the tester instance through the bastion host. Then, I connect to the tester instance:

$ ssh tester

From the tester instance, I launch the guardduty_tester.sh script to generate detection results:

$ ./guardduty_tester.sh 

*********************************************************************
* Test #1 - Internal port scanning                                    *
* This simulates internal reconaissance by an internal actor or an   *
* external actor after an initial compromise.This is considered a    *
* low priority finding for GuardDuty because its not a clear indicator*
* of malicious intent on its own.                                     *
*********************************************************************


Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-19 09:36 UTC
Nmap scan report for ip-172-16-0-20.us-west-2.compute.internal (172.16.0.20)
Host is up (0.00032s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
5050/tcp closed mmcc
MAC Address: 06:25:CB:F4:E0:51 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds

-----------------------------------------------------------------------

*********************************************************************
* Test #2 - SSH Brute Force with Compromised Keys                     *
* This simulates an SSH brute force attack on an SSH port that we    *
* can access from this instance.It uses (phony) compromised keys in  *
* many subsequent attempts to see if one works.This is a common      *
* techique where the bad actors will harvest keys from the web in     *
* places like source code repositories where people accidentally leave*
* keys and credentials (This attempt will not actually succeed in     *
* obtaining access to the target linux instance in this subnet)       *
*********************************************************************

2022-05-19 09:36:29 START
2022-05-19 09:36:29 Crowbar v0.4.3-dev
2022-05-19 09:36:29 Trying 172.16.0.20:22
2022-05-19 09:36:33 STOP
2022-05-19 09:36:33 No results found...
2022-05-19 09:36:33 START
2022-05-19 09:36:33 Crowbar v0.4.3-dev
2022-05-19 09:36:33 Trying 172.16.0.20:22
2022-05-19 09:36:37 STOP
2022-05-19 09:36:37 No results found...
2022-05-19 09:36:37 START
2022-05-19 09:36:37 Crowbar v0.4.3-dev
2022-05-19 09:36:37 Trying 172.16.0.20:22
2022-05-19 09:36:41 STOP
2022-05-19 09:36:41 No results found...
2022-05-19 09:36:41 START
2022-05-19 09:36:41 Crowbar v0.4.3-dev
2022-05-19 09:36:41 Trying 172.16.0.20:22
2022-05-19 09:36:45 STOP
2022-05-19 09:36:45 No results found...
2022-05-19 09:36:45 START
2022-05-19 09:36:45 Crowbar v0.4.3-dev
2022-05-19 09:36:45 Trying 172.16.0.20:22
2022-05-19 09:36:48 STOP
2022-05-19 09:36:48 No results found...
2022-05-19 09:36:49 START
2022-05-19 09:36:49 Crowbar v0.4.3-dev
2022-05-19 09:36:49 Trying 172.16.0.20:22
2022-05-19 09:36:52 STOP
2022-05-19 09:36:52 No results found...
2022-05-19 09:36:52 START
2022-05-19 09:36:52 Crowbar v0.4.3-dev
2022-05-19 09:36:52 Trying 172.16.0.20:22
2022-05-19 09:36:56 STOP
2022-05-19 09:36:56 No results found...
2022-05-19 09:36:56 START
2022-05-19 09:36:56 Crowbar v0.4.3-dev
2022-05-19 09:36:56 Trying 172.16.0.20:22
2022-05-19 09:37:00 STOP
2022-05-19 09:37:00 No results found...
2022-05-19 09:37:00 START
2022-05-19 09:37:00 Crowbar v0.4.3-dev
2022-05-19 09:37:00 Trying 172.16.0.20:22
2022-05-19 09:37:04 STOP
2022-05-19 09:37:04 No results found...
2022-05-19 09:37:04 START
2022-05-19 09:37:04 Crowbar v0.4.3-dev
2022-05-19 09:37:04 Trying 172.16.0.20:22
2022-05-19 09:37:08 STOP
2022-05-19 09:37:08 No results found...
2022-05-19 09:37:08 START
2022-05-19 09:37:08 Crowbar v0.4.3-dev
2022-05-19 09:37:08 Trying 172.16.0.20:22
2022-05-19 09:37:12 STOP
2022-05-19 09:37:12 No results found...
2022-05-19 09:37:12 START
2022-05-19 09:37:12 Crowbar v0.4.3-dev
2022-05-19 09:37:12 Trying 172.16.0.20:22
2022-05-19 09:37:16 STOP
2022-05-19 09:37:16 No results found...
2022-05-19 09:37:16 START
2022-05-19 09:37:16 Crowbar v0.4.3-dev
2022-05-19 09:37:16 Trying 172.16.0.20:22
2022-05-19 09:37:20 STOP
2022-05-19 09:37:20 No results found...
2022-05-19 09:37:20 START
2022-05-19 09:37:20 Crowbar v0.4.3-dev
2022-05-19 09:37:20 Trying 172.16.0.20:22
2022-05-19 09:37:23 STOP
2022-05-19 09:37:23 No results found...
2022-05-19 09:37:23 START
2022-05-19 09:37:23 Crowbar v0.4.3-dev
2022-05-19 09:37:23 Trying 172.16.0.20:22
2022-05-19 09:37:27 STOP
2022-05-19 09:37:27 No results found...
2022-05-19 09:37:27 START
2022-05-19 09:37:27 Crowbar v0.4.3-dev
2022-05-19 09:37:27 Trying 172.16.0.20:22
2022-05-19 09:37:31 STOP
2022-05-19 09:37:31 No results found...
2022-05-19 09:37:31 START
2022-05-19 09:37:31 Crowbar v0.4.3-dev
2022-05-19 09:37:31 Trying 172.16.0.20:22
2022-05-19 09:37:34 STOP
2022-05-19 09:37:34 No results found...
2022-05-19 09:37:35 START
2022-05-19 09:37:35 Crowbar v0.4.3-dev
2022-05-19 09:37:35 Trying 172.16.0.20:22
2022-05-19 09:37:38 STOP
2022-05-19 09:37:38 No results found...
2022-05-19 09:37:38 START
2022-05-19 09:37:38 Crowbar v0.4.3-dev
2022-05-19 09:37:38 Trying 172.16.0.20:22
2022-05-19 09:37:42 STOP
2022-05-19 09:37:42 No results found...
2022-05-19 09:37:42 START
2022-05-19 09:37:42 Crowbar v0.4.3-dev
2022-05-19 09:37:42 Trying 172.16.0.20:22
2022-05-19 09:37:46 STOP
2022-05-19 09:37:46 No results found...

-----------------------------------------------------------------------

*********************************************************************
* Test #3 - RDP Brute Force with Password List                        *
* This simulates an RDP brute force attack on the internal RDP port  *
* of the windows server that we installed in the environment. It uses*
* a list of common passwords that can be found on the web.This test  *
* will trigger a detection, but will fail to get into the target      *
* windows instance.                                                   *
*********************************************************************

Sending 250 password attempts at the windows server...
Hydra v9.4-dev (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-19 09:37:46
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental.Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1792 login tries (l:7/p:256), ~448 tries per task
[DATA] attacking rdp://172.16.0.24:3389/
[STATUS] 1099.00 tries/min, 1099 tries in 00:01h, 693 to do in 00:01h, 4 active
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-19 09:39:23

-----------------------------------------------------------------------

*********************************************************************
* Test #4 - CryptoCurrency Mining Activity                            *
* This simulates interaction with a cryptocurrency mining pool which *
* can be an indication of an instance compromise.In this case, we are*
* only interacting with the URL of the pool, but not downloading      *
* any files.This will trigger a threat intel based detection.        *
*********************************************************************

Calling bitcoin wallets to download mining toolkits

-----------------------------------------------------------------------

*********************************************************************
* Test #5 - DNS Exfiltration                                          *
* A common exfiltration technique is to tunnel data out over DNS      *
* to a fake domain. Its an effective technique because most hosts    *
* have outbound DNS ports open. This test wont exfiltrate any data,  *
* but it will generate enough unusual DNS activity to trigger the     *
* detection.                                                          *
*********************************************************************

Calling large numbers of large domains to simulate tunneling via DNS

*********************************************************************
* Test #6 - Fake domain to prove that GuardDuty is working            *
* This is a permanent fake domain that customers can use to prove that*
* GuardDuty is working. Calling this domain will always generate the *
* Backdoor:EC2/C&CActivity.B!DNS finding type                         *
*********************************************************************

Calling a well known fake domain that is used to generate a known finding

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> GuardDutyC2ActivityB.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11495
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;GuardDutyC2ActivityB.com.    IN    ANY

;; ANSWER SECTION:
GuardDutyC2ActivityB.com.6943    IN    SOA    ns1.markmonitor.com. hostmaster.markmonitor.com.2018091906 86400 3600 2592000 172800
GuardDutyC2ActivityB.com.6943    IN    NS    ns3.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns5.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns7.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns2.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns4.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns6.markmonitor.com.
GuardDutyC2ActivityB.com.6943    IN    NS    ns1.markmonitor.com.

;; Query time: 27 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Thu May 19 09:39:23 UTC 2022
;; MSG SIZE  rcvd: 238


*****************************************************************************************************
expected GuardDuty Test results

Test 1: Internal port scan
 Expected detection results: EC2 example i-011e73af27562827b An outbound port scan is being performed on the remote host.  172.16.0.20
 Test result type: Recon:EC2/Portscan

Test 2: Using a compromised key SSH brute force attack
 Expect two test results - One for outbound detection and one for inbound detection
 outbound: i-011e73af27562827b Working on 172.16.0.20 conduct SSH brute force attack
 Inbound: 172.16.0.25 is right i-0bada13e0aa12d383 conduct SSH brute force attack
 Test result type: UnauthorizedAccess:EC2/SSHBruteForce

Test 3: Using cipher list RDP brute force attack
 Expect two test results - One for outbound detection and one for inbound detection
 outbound: i-011e73af27562827b Working on 172.16.0.24 conduct RDP brute force attack
 Inbound: 172.16.0.25 is right i-0191573dec3b66924 conduct RDP brute force attack
 Test result type: UnauthorizedAccess:EC2/RDPBruteForce

Test 4: Cryptocurrency Activity
 Expected detection results: EC2 example i-011e73af27562827b Querying domains related to Bitcoin activity
 Test result type: CryptoCurrency:EC2/BitcoinTool.B!DNS

Test 5: DNS penetration
 Expected detection results: EC2 example i-011e73af27562827b Attempting to query domains similar to the leaked data
 Test result type: Trojan:EC2/DNSDataExfiltration

Test 6: C&C Activity
 Expected test results: EC2 example i-011e73af27562827b Querying domain names associated with known command and control servers.
Test result type: Backdoor:EC2/C&CActivity.B!DNS

After a few minutes, the detection results will appear in the GuardDuty console. At the top, I see malicious files found by the new malware protection feature. One of the detections is related to the EC2 instance and the other is related to the ECS cluster.

First, I select the detections related to the EC2 instance. In the panel, I see information about the instance and the malicious file, such as filename and path. In the Malware scan details section, the Trigger finding ID points to the original GuardDuty finding that triggered the malware scan. In my case, the initial detection was that this EC2 instance was performing a brute force RDP attack on another EC2 instance.

From here, I select Investigate with Detective and go directly from the GuardDuty console to Detective Console , from which you can visualize EC2 instances, Amazon accounts, and IP addresses affected by detections Amazon CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) streaming data. Using Detective, I can analyze, investigate and determine the root cause of suspicious activity discovered by GuardDuty.

When I select a detection related to an ECS cluster, I get more information about the affected resource, such as ECS cluster, task, container, and container image details.

Using the GuardDuty Tester script makes it easier to test GuardDuty's overall integration with other security frameworks you use so you're ready when a real threat is detected.

++Comparing GuardDuty Malware Protection with Amazon Inspector++

At this point, you may be asking yourself what is the difference between GuardDuty malware protection Amazon Inspector Regardless, Amazon Inspector is a service that scans AWS workloads for software vulnerabilities and unexpected network exposures. These two services complement each other and provide different layers of protection:

  • Amazon Inspector provides proactive protection by identifying and remediating known software and application vulnerabilities that are entry points for attackers to compromise resources and install malware.
  • GuardDuty malware protection detects malware in actively running workloads. At this point, the system is compromised, but GuardDuty can limit the time of infection and take action before compromised systems lead to business-impacting events.

++Availability and Pricing++

Amazon GuardDuty Malware protection is now in All Amazon regions where GuardDuty is available Available excluding AWS China (Beijing), Amazon China (Ningxia), Amazon GovCloud (US-East), and Amazon GovCloud (US-West) Regions.

At launch, GuardDuty malware protection is integrated with the following partner products:

With GuardDuty, you don't need to deploy security software or agents to monitor for malware. You only pay for the amount of GB scanned in the file system (not the size of the EBS volume) and for how long the EBS snapshots are kept on your account. All EBS snapshots created by GuardDuty are automatically deleted after scanning unless you enable snapshot retention when malware is found. For more information, see GuardDuty Pricing and EBS pricing . Note that GuardDuty only scans EBS volumes smaller than 1 TB. To help you control costs and avoid repeated alerts, the same volume is not scanned more often than every 24 hours.

Detect malicious activity and protect your applications from malware with Amazon GuardDuty.
Danilo

Tags: Front-end

Posted by dirgeshp on Sat, 11 Mar 2023 08:37:46 +0530