By using AWS re:Post, you agree to the Terms of Use
/How to invistigate the source of BitCoinTool alerts/

How to invistigate the source of BitCoinTool alerts


We are getting from time to guredduty alerts of BitCoinTool alerts I would like to investigate of what is the source of this alert. Any recommendation?

Finding type: CryptoCurrency:EC2/BitcoinTool.B!DNS EC2 instance i-xxxxxxxxxxxx is querying a domain name that is associated with Bitcoin-related activity.

1 Answers

On the finding type page here, it shows that this alert is generated from the DNS data source. Known findings, like Bitcoin mining domains, are detected via:

  • Proofpoint
  • Crowdstrike
  • Custom threat lists (If you have any)

If you go into the GuardDuty Console, click the finding, then scroll down to the Evidence section, you should be able to see what threat list from above it pulled from. I do want to draw your attention to the section on the page I linked above the section that says "If this activity is unexpected, your instance is likely compromised, see Remediating a compromised EC2 instance." What this means is GuardDuty findings are high fidelity, so if it thinks this is a finding, it's likely a finding (unless this machine is supposed to be mining bitcoin) and you should take action ASAP.

I don't believe it shows you the exact IP/domain that your machine is reaching out to, but this is where general triage comes in. Like the page above says, your machine is likely compromised and you should take steps outlined in your organizations incident response. Amazon does have white papers on Incident Response and the AWS Marketplace has offerings you can use to get started on triaging your instance.

Here's a guide on building a cloud-specific incident response plan. Regardless if your server is on premise or the cloud the steps generally involve:

    1. Preparation
    1. Identification
    1. Containment
    1. Investigation
    1. Eradication
    1. Recovery
    1. Follow-Up

Feel free to reach out to Support if you're running into issues.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions