# Understanding active threat defense managed rule group indicators
A threat indicator is a unique identifier of potentially malicious infrastructure or threat activity. active threat defense managed rule groups match traffic for IP address, domain name, and URL indicators that are associated with known threats.
**Tip**
If you use Amazon GuardDuty, you can strengthen your security by using active threat defense managed rule group to automatically block the threats that Amazon GuardDuty detects. For information, see [Working with active threat defense indicators in Amazon GuardDuty](nwfw-atd-guardduty-use-case.md).
AWS groups threat indicators into categories based on observed attack patterns. The following table describes each indicator group available in the active threat defense managed rule group:
| Indicator group and description | Traffic direction | Indicator types |
| --- | --- | --- |
| **Command and control** Infrastructure that malicious actors use to remotely control compromised systems. | Egress | IPs, domains |
| **Malware staging** Infrastructure that facilitates the distribution of malware and attack tooling. | Ingress/Egress | URLs |
| **Sinkholes** Previously abused infrastructure used for malicious purposes. | Egress | Domains |
| **Out-of-band application security testing** A technique where injected payloads make an outbound connection to external infrastructure that validates the existence of a vulnerability. | Egress | IPs, domains |
| **Crypto-mining pool** Infrastructure used by crypto-miners. | Egress | IPs, domains |
# Working with active threat defense indicators in Amazon GuardDuty
If you use Amazon GuardDuty, you can strengthen your security by using active threat defense managed rule group to automatically block the threats that Amazon GuardDuty detects. Amazon GuardDuty can generate findings with the threat list name `Amazon Active Threat Defense`. You can block these threats by implementing the `AttackInfrastructure` active threat defense rule group in your Network Firewall firewall policy.
**Note**
The active threat defense managed rule group can block threats regardless of whether you use Amazon GuardDuty. This information is relevant only if you already use Amazon GuardDuty for threat detection.
The following Amazon GuardDuty finding types may indicate threats that active threat defense managed rule group can block:
Command and control related findings
+ Backdoor:EC2/C&CActivity.B
+ Backdoor:EC2/C&CActivity.B\$1DNS
+ Backdoor:Lambda/C&CActivity.B
+ Backdoor:Runtime/C&CActivity.B
+ Backdoor:Runtime/C&CActivity.B\$1DNS
Cryptocurrency related findings
+ CryptoCurrency:EC2/BitcoinTool.B
+ CryptoCurrency:EC2/BitcoinTool.B\$1DNS
+ CryptoCurrency:Lambda/BitcoinTool.B
+ CryptoCurrency:Runtime/BitcoinTool.B
+ CryptoCurrency:Runtime/BitcoinTool.B\$1DNS
+ Impact:EC2/BitcoinDomainRequest.Reputation
Other threat findings
+ Trojan:EC2/BlackholeTraffic\$1DNS
+ Trojan:Runtime/BlackholeTraffic\$1DNS
+ UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
For more information about Amazon GuardDuty finding types, see [Active findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*.