GuardDuty attack sequence finding types

GuardDuty detects an attack sequence when a specific sequence of multiple actions align to a potentially suspicious activity. An attack sequence includes signals such as API activities and GuardDuty findings. When GuardDuty observes a group of signals in a specific sequence that indicates an in-progress, ongoing, or a recent security threat, GuardDuty generates an attack sequence finding. GuardDuty considers individual API activities as weak signals because they don't present themselves as potential threat.

The attack sequence detections focus on potential compromise of Amazon S3 data (that can be a part of a broader ransomware attack), compromised AWS credentials, compromised Amazon EKS clusters, compromised Amazon ECS clusters, and compromised Amazon EC2 instance groups. The following sections provide details about each of the attack sequences.

AttackSequence:EKS/CompromisedCluster

A sequence of suspicious actions performed by potentially compromised Amazon EKS cluster.

This finding informs you that GuardDuty detected a sequence of suspicious actions that indicates a potentially compromised Amazon EKS cluster in your environment. Multiple suspicious and anomalous attack behaviors, such as malicious processes or connection with malicious endpoints, were observed in the same Amazon EKS cluster.

GuardDuty uses its proprietary correlation algorithms to observe and identify the sequence of actions performed by using the IAM credential. GuardDuty evaluates findings across protection plans and other signal sources to identify common and emerging attack patterns. GuardDuty uses multiple factors to surface threats, such as IP reputation, API sequences, user configuration, and potentially impacted resources.

Remediation actions: If this behavior is unexpected in your environment, then your Amazon EKS cluster may be compromised. For comprehensive remediation guidance, see Remediating EKS Protection findings and Remediating Runtime Monitoring findings.

Additionally, since AWS credentials may have been compromised through the EKS cluster, see Remediating potentially compromised AWS credentials. For steps to remediate other resources that may have been potentially impacted, see Remediating detected GuardDuty security findings.

AttackSequence:ECS/CompromisedCluster

A sequence of suspicious actions performed by potentially compromised Amazon ECS cluster.

This finding informs you that GuardDuty detected a sequence of suspicious signals indicating a potentially compromised Amazon ECS cluster in your environment. These signals may include malicious processes, communications with malicious endpoints, or cryptocurrency mining behaviors.

GuardDuty uses proprietary correlation algorithms and multiple detection factors to identify sequences of suspicious actions within Amazon ECS clusters. Through analysis across protection plans and various signal sources, GuardDuty identifies common and emerging attack patterns, providing high-confidence detection of potential compromises.

Remediation actions: If this behavior is unexpected in your environment, your Amazon ECS cluster may be compromised. For threat containment recommendations, see Remediating a potentially compromised ECS cluster. Note that the compromise may extend to one or more ECS tasks or container workloads, which could have been used to create or modify AWS resources. For comprehensive remediation guidance covering potentially impacted resources, see Remediating detected GuardDuty security findings.

AttackSequence:EC2/CompromisedInstanceGroup

A sequence of suspicious actions indicating potentially compromised Amazon EC2 instances.

This finding indicates GuardDuty detected a sequence of suspicious actions suggesting potential compromise across a group of Amazon EC2 instances in your environment. Instance groups typically represent applications managed through infrastructure-as-code, sharing similar configurations such as Auto-scaling group, IAM instance profile role, AWS CloudFormation stack, Amazon EC2 launch template, AMI or VPC ID. GuardDuty observed multiple suspicious behaviors across one or more instances, including:

Detection Method: GuardDuty employs proprietary correlation algorithms to identify suspicious action sequences within Amazon EC2 instances. By evaluating findings across protection plans and various signal sources, GuardDuty identifies attack patterns using multiple factors such as IP and domain reputation and suspicious running processes.

Remediation actions: If this behavior is unexpected in your environment, your Amazon EC2 instances may be compromised. The compromise could involve:

For threat containment recommendations, see Remediating a potentially compromised Amazon EC2 instance. Note that the compromise may extend to one or more Amazon EC2 instances and involve compromised processes or instance credentials that could have been used to create or modify Amazon EC2 instances or other AWS resources. For comprehensive remediation guidance covering potentially impacted resources, see Remediating detected GuardDuty security findings.

AttackSequence:IAM/CompromisedCredentials

A sequence of API requests that were invoked by using potentially compromised AWS credentials.

This finding informs you that GuardDuty detected a sequence of suspicious actions made by using AWS credentials that impacts one or more resources in your environment. Multiple suspicious and anomalous attack behaviors were observed by the same credentials, resulting in higher confidence that the credentials are being misused.

GuardDuty uses its proprietary correlation algorithms to observe and identify the sequence of actions performed by using the IAM credential. GuardDuty evaluates findings across protection plans and other signal sources to identify common and emerging attack patterns. GuardDuty uses multiple factors to surface threats, such as IP reputation, API sequences, user configuration, and potentially impacted resources.

Remediation actions: If this behavior is unexpected in your environment, then your AWS credentials may have been compromised. For steps to remediate, see Remediating potentially compromised AWS credentials. The compromised credentials may have been used to create or modify additional resources, such as Amazon S3 buckets, AWS Lambda functions, or Amazon EC2 instances, in your environment. For steps to remediate other resources that may have been potentially impacted, see Remediating detected GuardDuty security findings.

AttackSequence:S3/CompromisedData

A sequence of API requests was invoked in a potential attempt to exfiltrate or destroy data in Amazon S3.

This finding informs you that GuardDuty detected a sequence of suspicious actions indicative of data compromise in one or more Amazon Simple Storage Service (Amazon S3) buckets, by using potentially compromised AWS credentials. Multiple suspicious and anomalous attack behaviors (API requests) were observed, resulting in higher confidence of the credentials are being misused.

GuardDuty uses its correlation algorithms to observe and identify the sequence of actions performed by using the IAM credential. GuardDuty then evaluates findings across protection plans and other signal sources to identify common and emerging attack patterns. GuardDuty uses multiple factors to surface threats, such as IP reputation, API sequences, user configuration, and potentially impacted resources.

Remediation actions: If this activity is unexpected in your environment, your AWS credentials, or Amazon S3 data may have potentially exfiltrated or destroyed. For steps to remediate, see Remediating potentially compromised AWS credentials and Remediating a potentially compromised S3 bucket.