GuardDuty is the default-on threat-detection service in AWS — and sophisticated adversaries actively engineer their operations to avoid triggering its findings. This article catalogues nine specific evasion techniques observed in cloud incident response, and ships the hunt patterns that surface the silence itself.
Adversaries are increasingly weaponising AWS KMS for ransomware — encrypting victim data with attacker-controlled keys, modifying key policies to lock out the legitimate owner, and using grant tokens for stealth access. This hunt playbook covers the techniques, the detection logic, and the response actions for KMS-mediated ransomware.
CloudTrail is the cornerstone of AWS threat detection — but it has structural blind spots adversaries deliberately exploit. This guide maps 12 places CloudTrail does not log by default, the techniques that abuse each gap, and the compensating hunt patterns that fill the visibility hole.
A 2026 threat hunting playbook with seven battle-tested Sigma rules, a MITRE ATT&CK coverage matrix, and success metrics for SOC analysts, threat hunters, and detection engineers. Hunt the techniques, not the indicators.
A practitioner’s guide to the minimum viable cloud log set: CloudTrail, identity, DNS at tier one. Coverage matrix across AWS, Azure, GCP plus cost trade-offs.
