amazon-guardduty-tester icon indicating copy to clipboard operation
amazon-guardduty-tester copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Unable to generate Recon:EC2/PortProbeUnprotectedPort findings

Open anskrish opened this issue 4 years ago • 2 comments

Hi Team,

I have setup the environment which you suggested in README file and ran the script but unable to generate portprobe alerts.

here is the script output

*****************************************************************************************************
Expected GuardDuty Findings

Test 1: Internal Port Scanning
Expected Finding: EC2 Instance  i-05  is performing outbound port scans against remote host. 172.1
Finding Type: Recon:EC2/Portscan

Test 2: SSH Brute Force with Compromised Keys
Expecting two findings - one for the outbound and one for the inbound detection
Outbound:  i-0  is performing SSH brute force attacks against  172.xxxx
Inbound:  172.xxxxxx is performing SSH brute force attacks against  i-07ad
Finding Type: UnauthorizedAccess:EC2/SSHBruteForce

Test 3: RDP Brute Force with Password List
Expecting two findings - one for the outbound and one for the inbound detection
Outbound:  i-056 is performing RDP brute force attacks against  17xxxxxx
Inbound:  17xxxxxxx  is performing RDP brute force attacks against  i-005c71xxxx
Finding Type : UnauthorizedAccess:EC2/RDPBruteForce

Test 4: Cryptocurrency Activity
Expected Finding: EC2 Instance  i-05615xxx is querying a domain name that is associated with bitcoin activity
Finding Type : CryptoCurrency:EC2/BitcoinTool.B!DNS

Test 5: DNS Exfiltration
Expected Finding: EC2 instance  i-05615089xxx  is attempting to query domain names that resemble exfiltrated data
Finding Type : Backdoor:EC2/DNSDataExfiltration

Test 6: C&C Activity
Expected Finding: EC2 instance  i-05615089=xxxx1  is querying a domain name associated with a known Command & Control server. 
Finding Type : Backdoor:EC2/C&CActivity.B!DNS

[ec2-user@ip-17xxxxx ~]$

When I checked the script, I did not see the command to do this. https://github.com/awslabs/amazon-guardduty-tester/blob/master/guardduty_tester.sh#L20

Please suggest how to generate portprobe alert

anskrish avatar Jan 06 '21 04:01 anskrish

We would like to generate the Port Probe Alerts for some testing and needs a way to be able to generate them as and when we want to run our tests.

mmshaikh88 avatar Jan 06 '21 07:01 mmshaikh88

Recon:EC2/PortProbeUnprotectedPort findings require that the source IP probing the open port is a known malicious IP so it cannot be generated using the test script.

ryanholland avatar Apr 10 '21 01:04 ryanholland

Closing this issue as the tester will not be modified to cover this use case.

scottbward avatar Aug 29 '23 17:08 scottbward