Bypass GuardDuty Pentest Findings

When making AWS API requests on common penetration testing OS’s GuardDuty will detect this and trigger a PenTest Finding.

This is caused by the user agent name that is passed in the API request. By modifying that we can prevent GuardDuty from detecting that we are operating from a “pentest” Linux distribution.

If your assessment requires you to remain undetected it’s probably easier to leverage a “safe” OS like Ubuntu, Mac OS, or Windows.

To do this, identify the location of your session.py in the botocore package. For example, on a default Kali Linux install it can be found at /usr/local/lib/python3.7/dist-packages/botocore/session.py.

On line 456 (at the time of writing), you should see the following.

lines

platform.system() and platform.release() are similar to uname -o and uname -r. On a stock Kali install it will generate the following values.

example

To get around this, modify the code and replace it with legitimate user agent strings like those found in Pacu. With this capability you can mask your user agent to look like anything you want. Even arbitrary values like below.

modified