Posted On: Apr 10, 2023

Amazon GuardDuty adds three new threat detections to help detect suspicious DNS traffic indicative of potential attempts by malicious actors to evade detection when performing activities such as exfiltrating data, or using command & control servers to communicate with malware.

The newly added finding types are:

  1. DefenseEvasion:EC2/UnusualDNSResolver
  2. DefenseEvasion:EC2/UnusualDoHActivity
  3. DefenseEvasion:EC2/UnusualDoTActivity

Amazon GuardDuty monitors DNS traffic from EC2 instances that use the Amazon DNS resolvers to detect potential malicious actor activities. However, malicious actors may attempt to mask their activity by using external DNS providers, or by using techniques such as sending DNS traffic over HTTPS (DoH), or over TLS (DoT). The newly added GuardDuty threat detections help detect this type of activity. GuardDuty learns the expected DNS traffic patterns for the AWS environment to only alert when the activity is suspicious and indicative of potential malicious activity.

The new threat detections are available to all existing and new Amazon GuardDuty customers at no additional costs and require no action to activate. The finding type DefenseEvasion:EC2/UnusualDNSResolver is available in all Amazon GuardDuty supported regions, and the DefenseEvasion:EC2/Unusual DoHActivity and DefenseEvasion:EC2/UnusualDoTActivity threat detections are available in all Amazon GuardDuty supported regions, excluding the AWS Asia Pacific (Osaka), AWS Asia Pacific (Jakarta), AWS Asia Pacific (Seoul), China (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD) regions, which will be added at a later date.

Customers across industries and geographies use Amazon GuardDuty to protect their AWS environments, including over 90% of AWS’s 2,000 largest customers. GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources. You can begin your 30-day free trial of Amazon GuardDuty with a single-click in the AWS Management Console. To receive programmatic updates on new GuardDuty features and threat detections, subscribe to the Amazon GuardDuty SNS topic.