Detect and investigate Amazon EC2 malware with Amazon GuardDuty and Amazon Detective

As public sector organizations expand their cloud presence, protecting Amazon Elastic Compute Cloud (Amazon EC2) instances from malware becomes increasingly critical. Malware—software designed to damage or gain unauthorized access to systems—can pose a significant threat to your unprotected or under-protected Amazon Web Services (AWS) workloads. Threat actors employ various malware attack vectors targeting EC2 instances by exploiting exposed access points, such as zero day and unpatched vulnerabilities, misconfigured security groups, and open ports. To counter these threats and protect EC2 instances from malicious activities, AWS provides purpose-built security tools to help you detect and investigate potential intrusions.

In this post, we demonstrate how to use the advanced malware detection features of Amazon GuardDuty to uncover malicious and suspicious files compromising your EC2 instances. We use the investigative capabilities of Amazon Detective to gain deeper insights into the security event. After the key questions about the security event are addressed, we outline steps to remediate the potentially compromised EC2 instance.

Amazon GuardDuty helps you protect your AWS workloads through intelligent threat detection. It continually monitors your AWS accounts using machine learning (ML) and threat intelligence to identify unusual behavior and potential security threats. GuardDuty analyzes three critical data sources: Amazon Route 53 DNS logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, and AWS CloudTrail management events. When enabled, Amazon GuardDuty provides additional threat detection protection plans for Amazon Simple Storage Service (Amazon S3), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Relational Database Service (Amazon RDS), and AWS Lambda, as well as Extended Threat Detection, Runtime Monitoring, Malware Protection for EC2, and Malware Protection for S3.

Amazon Detective complements Amazon GuardDuty by helping you analyze and investigate security findings quickly. Amazon Detective obtains log data from your AWS accounts and services, applying ML, statistical analysis, and graph theory to generate visualizations that help you trace security events to their source, significantly reducing investigation time.

Enabling Amazon GuardDuty Malware Protection

Amazon GuardDuty Malware Protection offers several key benefits, including automated threat detection, seamless integration with your existing Amazon GuardDuty setup, and reduced time to identify and respond to malware threats. Amazon GuardDuty offers two types of malware scans to help you protect your EC2 instances: Amazon GuardDuty initiated malware scans and Amazon GuardDuty On-demand malware scans.

Amazon GuardDuty initiated malware scans are automated scans that trigger when Amazon GuardDuty detects potential malware or suspicious activity on an EC2 instance or container workloads, and it scans the Amazon Elastic Block Store (Amazon EBS) associated with your Amazon EC2 instances. When a scan completes, Amazon GuardDuty generates Malware Protection findings for Amazon EC2, providing you with detailed security insights.

To enable Amazon GuardDuty initiated malware scans, follow these steps:

1. On the Amazon GuardDuty console, select Malware Protection for EC2.
2. Navigate to GuardDuty-initiated malware scan and select Enable and confirm your choice, as shown in the following screenshot.

Figure 1. Amazon GuardDuty-initiated malware scan enabled

Amazon GuardDuty On-demand malware scans help you detect the presence of malware attached to your EC2 instances. You can initiate On-demand malware scans at any time on specific EC2 instances. This feature gives your security team the flexibility to quickly test instances after remediation or whenever you suspect a security issue.

To use Amazon GuardDuty On-demand malware scans, follow these steps:

1. On the Amazon GuardDuty console, select Malware Protection for EC2.
2. Navigate to On-demand malware scan, provide your target EC2 Amazon Resource Name (ARN), and select Start scan.

Figure 2. On-demand malware scan of target EC2 instance, ARN required

Managing Amazon GuardDuty as a delegated administrator in AWS Organizations

Remember to configure your account as an Amazon GuardDuty delegated administrator if you’re managing multiple accounts. In a multi-account AWS environment, designating a delegated administrator account enhances the security team’s ability to effectively monitor all member accounts within an AWS Organizations account. The AWS Organizations management account is responsible for designating the delegated Amazon GuardDuty administrator. This is accomplished by specifying the 12-digit AWS account ID of the chosen member account, granting it the necessary administrative security privileges within the organization.

Using delegated administrators in malware mitigation offers some key capabilities. You can enable Malware Protection for Amazon EC2 across all associated accounts, establishing a seamless and comprehensive defense against potential malware threats for both existing and newly added accounts within the organization. You can access GuardDuty findings from all associated accounts, providing administrators with immediate, organization-wide visibility and enabling faster, more effective responses to malware incidents. And you can implement suppression rules across associated accounts to filter out known false positives, allowing security teams to focus on genuine indicators of compromise (IOCs) relating to malware threats.

If you want to explore more, visit Understanding the relationship between GuardDuty administrator account and member accounts.

Understanding and reviewing GuardDuty EC2 malware scan results

In this section, we build on our discussion of Amazon GuardDuty initiated and On-demand malware scans to examine how to interpret the scan results and understand their implications for your AWS environment. Amazon GuardDuty scans the Amazon Elastic Block Store (Amazon EBS) associated with your Amazon EC2 instances.

When Amazon GuardDuty completes a malware scan, it generates detailed findings based on the scan results. If malware or suspicious activity is detected, the scan result will display Infected, triggering one of two critical finding types:

1. Execution:EC2/MaliciousFile

• Indicates confirmed malicious files on your EC2 instance
• Requires immediate security response
• Part of the GuardDuty EBS Malware Protection feature

2. Execution:EC2/SuspiciousFiles

• Indicates potentially unwanted programs
• May include adware, spyware, or dual-use tools
• Requires investigation but may not need immediate remediation

The following screenshot shows the Execution:EC2/MaliciousFile finding.

Figure 3. Execution:EC2/MaliciousFile finding

Learn more about Malware Protection findings. For detailed remediation steps following an Infected result, refer to the EC2 Malware Remediation and Recovery section later in this blog.

Each Amazon GuardDuty malware scan includes five key fields for tracking and analysis:

• Scan ID: Unique identifier for each scan instance
• EC2: Target instance identifier
• Scan type: Either GuardDuty initiated or On-demand
• Scan status: Current scan state (Running, Completed, Skipped, or Failed)
• Scan result: Final outcome (Clean or Infected)
• triggered_finding_id: Unique identifier assigned to the GuardDuty finding responsible for invoking the GuardDuty-initiated scan

These scan results directly feed into your broader security operations, connecting with the Amazon Detective investigation capabilities and informing your remediation strategy. We explore these concepts later in the post.

Amazon Detective investigations

After Amazon GuardDuty identifies potential malware on your EC2 instances, Amazon Detective helps you understand the full scope of the incident. The Amazon Detective investigation capabilities help you answer critical questions about the potential compromise: How did it happen? What resources were affected? What actions did the attacker take?

Figure 4. Execution:EC2/MaliciousFile finding full description

When investigating potential malware incidents, begin with the Amazon Detective triage process. This helps you quickly determine the severity of the security event and differentiate between true threats and false positives. Amazon Detective analyzes various data points to create a comprehensive view of the incident, including:

• API activity patterns
• Network traffic flows
• Resource configurations
• Historical behavior baselines

These IOCs include user and resource behavior, unusual API call patterns, unexpected geographic access locations, and changes in resource usage. Network activity analysis reveals communication with malicious IP addresses, unusual data transfers, and suspicious port usage. Timeline analysis shows the sequence of security events and duration of potential compromise. This investigation builds a root cause analysis for incident reports and future threat modeling. The following screenshot is a report summary in Amazon GuardDuty.

Figure 5. Investigating with Amazon Detective

Example investigation workflow

In a typical malware investigation, analysts use Amazon Detective to examine Amazon GuardDuty findings and the affected EC2 instance’s timeline. They review network connections and API calls for suspicious activities, identify related compromised resources, and determine the initial access vector. This systematic approach provides a thorough investigation and helps prevent future security incidents.

In this section, we show how to perform a thorough investigation using Amazon Detective to investigate the Amazon GuardDuty findings Execution:EC2/MaliciousFile and Execution:EC2/SuspiciousFile.

Investigating Execution:EC2/MaliciousFile

When Amazon Detective receives this high-severity finding, indicating confirmed malicious files on an EC2 instance, your investigation might proceed as follows:

1. Initial assessment
   • Open the Detective console and navigate to the finding details.
   • Review the EC2 instance metadata, including launch time, Amazon Machine Image (AMI) ID, and attached AWS Identity and Access Management (IAM)
2. Timeline analysis
   • Examine the instance’s activity timeline leading up to the malware detection.
   • Look for unusual API calls, particularly those related to file downloads or configuration changes.
3. Network connections
   • Analyze the instance’s network connections in the days preceding the finding.
   • Identify any communications with known malicious IP addresses or unusual destinations.
4. User activity
   • Review actions taken by users who accessed the instance.
   • Look for unusual login patterns or unexpected privilege escalations.
5. Lateral movement
   • Check for attempts to access other resources from the infected instance.
   • Analyze any successful connections to other EC2 instances or AWS services.
6. Data exfiltration
   • Examine network flow logs for large or unusual outbound data transfers.
   • Look for the creation of new IAM users or access keys that could be used for data theft.

Investigating Execution:EC2/SuspiciousFile

For this medium-severity finding indicating potentially unwanted programs, your Amazon Detective investigation might look like this:

1. Context gathering
   • Review the Amazon Detective summary for details on the suspicious files detected.
   • Check if this instance or similar files have been flagged before.
2. Software inventory
   • Use Amazon Detective to view a list of processes and installed software on the instance.
   • Compare it against your organization’s approved software list.
3. Behavioral analysis
   • Examine the instance’s CPU and network usage patterns.
   • Look for any deviation from typical behavior for this instance type and role.
4. Access patterns
   • Review recent logins and API calls made to the instance.
   • Check for any unusual access times or sources.
5. Configuration changes
   • Analyze recent changes to the instance’s configuration or security groups.
   • Look for any modifications that could have allowed installation of suspicious software.
6. Broader impact assessment
   • Use the Amazon Detective entity finder to check if similar files exist on other instances.
   • Review connections from this instance to make sure potentially unwanted programs don’t spread.

After completing your investigation with Amazon Detective, you’ll have the context you need to:

1. Make informed decisions about remediation steps.
2. Update security controls to prevent similar incidents.
3. Document findings for compliance and audit purposes.

For detailed guidance on remediation steps, continue to the EC2 Malware Remediation section of this post.

Amazon Detective finding groups and visualizations

Amazon Detective enhances security investigations through finding groups and interactive visualizations. In Amazon EC2 malware scenarios, finding groups can reveal the complete attack chain, from initial credential compromise to malicious file deployment, lateral movement attempts, and data exfiltration. Detective employs advanced analytics to create finding groups by examining temporal proximity, common entities, behavioral patterns, and tactics, techniques, and procedures (TTPs). This consolidates related events into a single, navigable timeline, providing a holistic view of security incidents. Security teams can quickly understand connections between findings, identify affected AWS resources, and track an attacker’s progression through the environment. This comprehensive approach significantly reduces investigation time and enables faster incident response and remediation. The following screenshot shows the report summary.

Figure 6. Amazon Detective Finding Groups Visualizations

Understanding and using finding groups visualizations

Finding groups’ visualization features transform complex security data into actionable insights. Security teams can map relationships between findings and track behavior patterns. This helps identify attackers and compromised resources. The holistic view across AWS services aids in understanding the scope of potential incidents and prioritizing responses. Finding groups enhance your security investigation process. Amazon Detective correlates security findings into finding groups to provide broader context of security incidents. For example, when investigating Amazon EC2 malware, finding groups can reveal compromised credentials, malicious file installations, lateral movement attempts, and data exfiltration activities. The visualizations in Detective help trace potential security incidents, answering critical questions: How did it happen? What resources were affected? What actions did the attacker take? This way, you can understand timelines, connections between compromised resources, and attack patterns.

Amazon EC2 malware remediation and recovery

When Amazon GuardDuty alerts you to potential malware on your EC2 instances, a swift and methodical response is crucial. In this section, we walk through the remediation process for Execution:EC2/MaliciousFile and Execution:EC2/SuspiciousFile. Follow these steps:

1. Isolate the instance. Regardless of the finding type, your first step should always be to isolate the affected instance. Think of this as establishing a quarantine zone. Here’s how to do it:

• Create an isolation security group:

   aws ec2 create-security-group \

       —group-name malware-isolation \

       —description "Isolate compromised instances"

• Apply this group to your affected instance:

   aws ec2 modify-instance-attribute \

       —instance-id "insert Instance ID" \

       —groups sg-malware-isolation

2. Respond to Execution:EC2/MaliciousFile. With confirmed malicious files, time is of the essence. Follow these steps:

• Stop the instance to prevent further damage:

   aws ec2 stop-instances —instance-ids "insert Instance ID"

• Create a forensic snapshot for investigation:

   aws ec2 create-snapshot \

       —volume-id "insert volume ID" \

       —description "Forensic snapshot of compromised instance

• In most cases, terminate the affected instance and launch a new one from a known-good AMI. This makes sure that you’re starting from a clean state.

3. Handle Execution:EC2/SuspiciousFile. For suspicious files, a more measured approach is needed:

• Use Session Manager, a capability of AWS Systems Manager for secure investigation:

   aws ssm start-session —target "insert Instance ID" 

• Analyze the suspicious files to determine if they’re:
  • Legitimate business tools with behavior similar to malware
  • Outdated versions of legitimate software
  • Actually malicious files requiring full remediation
• Based on your findings, take appropriate action:
  • Update and patch legitimate software
  • Remove confirmed malicious files
  • Document false positives to improve future scans

Post-remediation steps

Regardless of the finding type, always verify the effectiveness of your remediation with a full malware scan, review and update security controls to prevent future infections, and document the incident and your response for future reference. Make sure you’re using the incident as an opportunity to strengthen your overall security.

You can assess how you implement regular automated patching using Patch Manager, a capability of AWS Systems Manager. Enable continual security monitoring with Amazon GuardDuty across all accounts and Regions and take lessons learned to set up automated incident response using Amazon EventBridge rules. Lastly, conduct regular security assessments using Amazon Inspector. Remember, effective malware remediation is an ongoing process. By following these guidelines and taking advantage of AWS security services, you can confidently handle malware incidents while maintaining the security of your AWS environment.

Conclusion

This post demonstrated how Amazon GuardDuty and Amazon Detective can effectively detect, investigate, and isolate potential malware compromising EC2 instances. Security remains a top priority for AWS and implementing robust operational components is crucial in today’s landscape to mitigate malware and other security threats. For guidance on implementing AWS security best practices regarding detection, incident investigation, and response, refer to Best Practices for Security, Identity, & Compliance.