Bypassing the GuardDuty Behavior checks can also be rather simple.

To bypass the Behavior:EC2/NetworkPortUnusual finding, which triggers when an EC2 instance is communicating with a remote host on an unusual port, we will just need to ensure that any malware command and control we are doing is using a common port, such as 80 (HTTP) or 443 (HTTPS), rather than some random high-numbered port.

The Behavior:EC2/TrafficVolumeUnusual GuardDuty finding triggers when there is an unusually large amount of network traffic being sent to a remote host. As a defender, this could be an indication of data exfiltration from within your internal network. As an attacker, we could bypass this finding when exfiltrating data by limiting our outbound bandwidth, so that there never is a high volume of traffic happening at once. Instead, there will be a small amount of traffic volume over an extended period of time.