Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
Why did I receive a GuardDuty CryptoCurrency:EC2/BitcoinTool.B!DNS finding type for my Amazon EC2 instance?
I want to troubleshoot a CryptoCurrency finding that Amazon GuardDuty detected for my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Resolution
The GuardDuty CryptoCurrency:EC2/BitcoinTool.B!DNS finding type shows that an Amazon EC2 instance in your AWS environment is querying a domain name. The domain name is associated with cryptocurrency-related activity such as Bitcoin mining.
If you use your Amazon EC2 instance with cryptocurrency or with blockchain activity, then this finding type might be expected activity for your environment. It's a best practice to set up a suppression rule for this finding type. For more information and instructions, see CryptoCurrency:EC2/BitcoinTool.B!DNS.
If you don't expect this behavior, then it might be a result of unauthorized activity on your AWS account. Follow these instructions to remediate a compromised Amazon EC2 instance in your AWS environment.
For more information, see GuardDuty foundational data sources.
Related information
Creating custom responses to GuardDuty findings with Amazon CloudWatch Events
How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts
Relevant content
- asked a year ago
- asked 3 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 6 months ago
