Merge pull request #430 from Hacking-the-Cloud/update/aws/avoiding-de…

…tection/guardduty-pentest-better-example Update guardduty-pentest.md
Hacking-the-Cloud · Nov 12, 2024 · 96d7524 · 96d7524
2 parents 2505d31 + aeae6cc
commit 96d7524
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/content/aws/avoiding-detection/guardduty-pentest.md b/content/aws/avoiding-detection/guardduty-pentest.md
@@ -11,7 +11,7 @@ description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardD
 
 As a cloud Penetration Tester or Red Teamer, we need to be aware of what artifacts we leave behind in the logs that we touch. One easy to overlook clue is the User-Agent value passed in AWS API requests. When using the AWS [CLI](https://aws.amazon.com/cli/) or [SDK](https://aws.amazon.com/tools/) to interact with AWS services, the User-Agent string is passed in the headers of the HTTP request. This string can be used to identify the tool or library making the request.
 
-This can give away the operating system you are using and may raises suspicion from defenders. For example, say you steal credentials from an EC2 instance running Linux and suddenly start making requests from a Mac. This suspicious activity could be noticed by automation and an alarm could be raised.
+This can give away the operating system you are using and may raises suspicion from defenders. For example, say you steal credentials from a developer workstation running MacOS and suddenly start making requests from a Windows machine. This suspicious activity could be noticed by automation and an alarm could be raised.
 
 This is where AWS [GuardDuty](https://aws.amazon.com/guardduty/) comes in. GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. GuardDuty takes this idea a step further and has built-in detections for common penetration testing Linux distributions like Kali Linux, ParrotOS, and Pentoo Linux. If you make AWS API requests from one of these distributions, GuardDuty will trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).
 
@@ -66,4 +66,4 @@ Regardless of the method you choose, after making a request to the AWS API you s
   ![User-Agent string in CloudTrail logs](../../images/aws/avoiding-detection/guardduty-pentest/example-cloudtrail-log.png){ loading=lazy }
 </figure>
 
-With all of this in place, you can now make requests to the AWS API using the CLI without triggering GuardDuty alerts.
+With all of this in place, you can now make requests to the AWS API using the CLI without triggering GuardDuty alerts.