AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-RESOURCE-HIJACK-1496-7842 Alert Time: 2024-03-04 14:15:33 EST Severity: HIGH (88/100) Source: AWS GuardDuty Rule: “Unauthorized Cryptocurrency Mining Activity Detected” MITRE ATT&CK: T1496 – Resource Hijacking
Alert Details:
Detection: EC2 instance exhibiting cryptocurrency mining behavior
Instance: i-0a1b2c3d4e5f67890 (Development EC2) Instance Type: c5.4xlarge (16 vCPU, 32 GB RAM) Region: us-east-1 Account: 123456789012 (Development) Time: 14:00-14:15 EST
Anomaly Detection:
CPU Usage: Normal 20-30% → Now 98% sustained for 2+ hours
Network Egress: Normal 100 MB/day → Now 500 MB in last hour
Processes: miner process detected: /tmp/xmrig
Outbound Connections: Connections to mining pools
Mining Pool Connections:
14:00:15 – Connection to mining-pool.com:3333 (TCP)
14:02:22 – Connection to xmr-usa.dwarfpool.com:8005
14:04:45 – Connection to pool.supportxmr.com:5555
Process Details (from Systems Manager):
Process: /tmp/xmrig
Command: ./xmrig –config=config.json
Config: Downloaded from 185.143.221[.]89/config.json
User: root (instance compromised)
Additional Indicators:
Unauthorized SSH key added: “devops_temp_key”
New user created: “ubuntu-update”
Sudoers file modified
Detection Logic:
Sustained high CPU (98%) unusual for development instance
Connections to known mining pools
Mining software detected
Unauthorized SSH key and user
Pattern matches cryptojacking/resource hijacking
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
AWS GuardDuty Console
Confirmed crypto mining on EC2 instance
2. Instance Investigation
Check instance details
AWS Systems Manager
xmrig miner running as root
3. Immediate Action
Terminate instance
AWS EC2 Console
Instance terminated
4. SSH Key Rotation
Rotate compromised keys
AWS IAM, EC2
All SSH keys rotated
5. Account Review
Check for other compromised instances
GuardDuty, CloudTrail
No other instances affected
6. Prevention
Implement monitoring for mining
AWS Config, CloudWatch
Alerts for high CPU utilization
Jira Incident Report
Ticket: SOC-2024-167 Summary: T1496 – Cryptocurrency Mining on Compromised EC2 Instance Status: RESOLVED Resolution: MALICIOUS – Instance Terminated Priority: P2 – MEDIUM Labels: T1496, resource-hijacking, cryptojacking, xmrig, guardduty, aws Components: Cloud-Security, Resource-Monitoring
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Unauthorized Cryptocurrency Mining Activity Detected”.
Instance: i-0a1b2c3d4e5f67890 (Development EC2, c5.4xlarge).
Activity: XMRig miner running, connected to mining pools.
Time: 2024-03-04 14:15 EST.
Technique: MITRE ATT&CK T1496 – Resource Hijacking.
2. Technical Analysis:
Attack Chain:
12:00 – Developer SSH key compromised (personal laptop breach)
12:30 – Attacker logs into EC2 instance using stolen key
12:45 – Attacker downloads xmrig miner from 185.143.221[.]89
13:00 – Miner starts, connects to mining pools
13:00-14:15 – Mining continues (98% CPU)
14:15 – GuardDuty detects
Mining Details:
Software: XMRig (Monero miner)
Pool: mining-pool.com:3333
Hash Rate: Approximately 15 KH/s
Earnings: ~$50/day at attacker’s wallet
Duration: 2 hours before detection
Compromised Key:
Key Name: dev_key (used by developer)
Leak Source: Developer’s personal laptop infected with stealer
Status: Revoked
Instance Impact:
CPU at 98% for 2 hours
Estimated cost: $5 in extra compute (negligible)
No data exfiltration
3. Investigation Findings:
Timeline:
12:00 – Key compromised
12:30 – Attacker logs in – 12:45 – Miner downloaded
13:00-14:15 – Mining
14:15 – GuardDuty alert
14:17 – SOC investigates
14:18 – Instance terminated
Indicators of Compromise (IoCs):
Network:
– mining-pool.com:3333
– xmr-usa.dwarfpool.com:8005
– pool.supportxmr.com:5555
– Download URL: 185.143.221[.]89/config.json
Files:
– /tmp/xmrig (SHA256: a1b2c3d4…)
– /tmp/config.json
SSH Key:
– devops_temp_key (unauthorized)
4. Containment Actions:
Immediate Actions:
Terminated compromised EC2 instance.
Revoked all SSH keys associated with the instance.
Blocked mining pool domains at network level.
Rotated developer’s SSH key.
Cloud Remediation:
Launched new instance from clean AMI.
Restored necessary data from backups.
Implemented stricter SSH key management.
Monitoring Enhancement:
Created CloudWatch alarm for sustained high CPU (>80% for 1 hour).
5. Root Cause Analysis:
Primary Cause: Developer SSH key compromised from personal laptop.
Contributing Factors:
SSH key not rotated regularly.
No MFA for SSH access.
No monitoring for crypto mining.
6. Business Impact:
Operational Impact: Development instance offline for 1 hour.
Financial Impact: ~$5 in extra compute costs.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Instance terminated.
Keys rotated.
Mining blocked.
Technical Controls Enhanced:
Enforced MFA for SSH access (where possible).
Implemented key rotation policy.
Deployed GuardDuty with automated response.
Created CloudWatch alarms for CPU anomalies.
8. Conclusion:
An attacker used a compromised developer SSH key to install a Monero miner on an EC2 instance, hijacking compute resources for cryptocurrency mining. GuardDuty detected the mining behavior and enabled termination of the instance within minutes.
Closure Rationale: Instance terminated; keys rotated; mining stopped.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 15:30 EST