{
"account": "[REDACTED_ACCOUNT_ID]",
"detail": {
"accountId": "[REDACTED_ACCOUNT_ID]",
"arn": "arn:aws:guardduty:us-east-1:[REDACTED_ACCOUNT_ID]:detector/[REDACTED_DETECTOR_ID]/finding/[REDACTED_FINDING_ID]",
"createdAt": "[REDACTED_TIMESTAMP]",
"description": "The EC2 instance [REDACTED_INSTANCE_ID] is querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware.",
"id": "[REDACTED_FINDING_ID]",
"partition": "aws",
"region": "us-east-1",
"resource": {
"instanceDetails": {
"availabilityZone": "[REDACTED_AZ]",
"iamInstanceProfile": {
"arn": "arn:aws:iam::[REDACTED_ACCOUNT_ID]:instance-profile/[REDACTED_PROFILE_NAME]",
"id": "[REDACTED_PROFILE_ID]"
},
"imageDescription": "[REDACTED_IMAGE_DESCRIPTION]",
"imageId": "[REDACTED_IMAGE_ID]",
"instanceId": "[REDACTED_INSTANCE_ID]",
"instanceState": "running",
"instanceType": "[REDACTED_INSTANCE_TYPE]",
"launchTime": "[REDACTED_TIMESTAMP]",
"networkInterfaces": [
{
"networkInterfaceId": "[REDACTED_ENI_ID]",
"privateIpAddress": "[REDACTED_IP]",
"publicIp": "[REDACTED_PUBLIC_IP]",
"securityGroups": "[REDACTED]",
"subnetId": "[REDACTED_SUBNET_ID]",
"vpcId": "[REDACTED_VPC_ID]"
}
],
"outpostArn": "[REDACTED_OUTPOST_ARN]",
"productCodes": "[REDACTED]",
"tags": "[REDACTED]"
},
"resourceType": "Instance"
},
"schemaVersion": "2.0",
"service": {
"action": {
"actionType": "DNS_REQUEST",
"dnsRequestAction": {
"blocked": false,
"domain": "[REDACTED_DOMAIN]",
"domainWithSuffix": "[REDACTED_DOMAIN_SUFFIX]",
"protocol": "UDP"
}
},
"additionalInfo": "[REDACTED]",
"archived": false,
"count": 8,
"detectorId": "[REDACTED_DETECTOR_ID]",
"eventFirstSeen": "[REDACTED_TIMESTAMP]",
"eventLastSeen": "[REDACTED_TIMESTAMP]",
"evidence": {
"threatIntelligenceDetails": "[REDACTED_THREAT_LISTS]"
},
"resourceRole": "TARGET",
"serviceName": "guardduty"
},
"severity": 5,
"title": "The EC2 instance [REDACTED_INSTANCE_ID] queried a Drop Point domain name.",
"type": "Trojan:EC2/DropPoint!DNS",
"updatedAt": "[REDACTED_TIMESTAMP]"
},
"detail-type": "GuardDuty Finding",
"id": "[REDACTED_EVENT_ID]",
"region": "us-east-1",
"resources": [],
"source": "aws.guardduty",
"time": "[REDACTED_TIMESTAMP]",
"version": "0"
}
Was this page helpful?