Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update guardduty-pentest.md #430

Merged
merged 1 commit into from
Nov 12, 2024
Merged

Update guardduty-pentest.md #430

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions content/aws/avoiding-detection/guardduty-pentest.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardD

As a cloud Penetration Tester or Red Teamer, we need to be aware of what artifacts we leave behind in the logs that we touch. One easy to overlook clue is the User-Agent value passed in AWS API requests. When using the AWS [CLI](https://aws.amazon.com/cli/) or [SDK](https://aws.amazon.com/tools/) to interact with AWS services, the User-Agent string is passed in the headers of the HTTP request. This string can be used to identify the tool or library making the request.

This can give away the operating system you are using and may raises suspicion from defenders. For example, say you steal credentials from an EC2 instance running Linux and suddenly start making requests from a Mac. This suspicious activity could be noticed by automation and an alarm could be raised.
This can give away the operating system you are using and may raises suspicion from defenders. For example, say you steal credentials from a developer workstation running MacOS and suddenly start making requests from a Windows machine. This suspicious activity could be noticed by automation and an alarm could be raised.

This is where AWS [GuardDuty](https://aws.amazon.com/guardduty/) comes in. GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. GuardDuty takes this idea a step further and has built-in detections for common penetration testing Linux distributions like Kali Linux, ParrotOS, and Pentoo Linux. If you make AWS API requests from one of these distributions, GuardDuty will trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).

Expand Down Expand Up @@ -66,4 +66,4 @@ Regardless of the method you choose, after making a request to the AWS API you s
![User-Agent string in CloudTrail logs](../../images/aws/avoiding-detection/guardduty-pentest/example-cloudtrail-log.png){ loading=lazy }
</figure>

With all of this in place, you can now make requests to the AWS API using the CLI without triggering GuardDuty alerts.
With all of this in place, you can now make requests to the AWS API using the CLI without triggering GuardDuty alerts.