From aeae6ccac3c1a3b9deb36c5cef5a959690863d4c Mon Sep 17 00:00:00 2001 From: Nick Frichette <10386884+Frichetten@users.noreply.github.com> Date: Mon, 11 Nov 2024 21:00:45 -0600 Subject: [PATCH] Update guardduty-pentest.md Added a better example --- content/aws/avoiding-detection/guardduty-pentest.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/aws/avoiding-detection/guardduty-pentest.md b/content/aws/avoiding-detection/guardduty-pentest.md index 6624ea50..142f5e09 100644 --- a/content/aws/avoiding-detection/guardduty-pentest.md +++ b/content/aws/avoiding-detection/guardduty-pentest.md @@ -11,7 +11,7 @@ description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardD As a cloud Penetration Tester or Red Teamer, we need to be aware of what artifacts we leave behind in the logs that we touch. One easy to overlook clue is the User-Agent value passed in AWS API requests. When using the AWS [CLI](https://aws.amazon.com/cli/) or [SDK](https://aws.amazon.com/tools/) to interact with AWS services, the User-Agent string is passed in the headers of the HTTP request. This string can be used to identify the tool or library making the request. -This can give away the operating system you are using and may raises suspicion from defenders. For example, say you steal credentials from an EC2 instance running Linux and suddenly start making requests from a Mac. This suspicious activity could be noticed by automation and an alarm could be raised. +This can give away the operating system you are using and may raises suspicion from defenders. For example, say you steal credentials from a developer workstation running MacOS and suddenly start making requests from a Windows machine. This suspicious activity could be noticed by automation and an alarm could be raised. This is where AWS [GuardDuty](https://aws.amazon.com/guardduty/) comes in. GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. GuardDuty takes this idea a step further and has built-in detections for common penetration testing Linux distributions like Kali Linux, ParrotOS, and Pentoo Linux. If you make AWS API requests from one of these distributions, GuardDuty will trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux). @@ -66,4 +66,4 @@ Regardless of the method you choose, after making a request to the AWS API you s ![User-Agent string in CloudTrail logs](../../images/aws/avoiding-detection/guardduty-pentest/example-cloudtrail-log.png){ loading=lazy } -With all of this in place, you can now make requests to the AWS API using the CLI without triggering GuardDuty alerts. \ No newline at end of file +With all of this in place, you can now make requests to the AWS API using the CLI without triggering GuardDuty alerts.