Trojan
Most of the findings within the Trojan category of GuardDuty can be avoided by never communicating with known bad IP addresses and domains, which is easy to do. However, one finding, Trojan:EC2/DNSDataExfiltration, is a bit different. This finding triggers when an EC2 instance is discovered to be exfiltrating data through DNS queries. To avoid this, we can simply decide against the method of DNS data exfiltration when within a compromised EC2 instance.
Also, as discussed previously, GuardDuty can only read DNS logs for DNS requests that use the AWS DNS servers. It might be possible to customize your malware to use alternate DNS resolvers (other than the EC2 default of AWS DNS) for your DNS exfiltration, which will completely bypass ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access