#1
Cryptomining
AWS GuardDuty can detect compromised EC2 instances that have been hijacked by an adversary to mine bitcoin. D3 would retrieve the event, run it through MITRE ATT&CK correlation to identify tactics and techniques, and extract IOCs to compare against third-party threat intelligence to determine risk. Based on this information, the user can escalate the event to an incident if further investigation is required. D3 has a prebuilt automation-powered playbook for cryptomining, which includes domain analysis and EC2 instance analysis.