Skip to content

Add article: bypass GuardDuty pentest findings via botocore user-agent#503

Merged
Frichetten merged 1 commit intoHacking-the-Cloud:mainfrom
raajheshkannaa:feat/guardduty-useragent-bypass
Apr 6, 2026
Merged

Add article: bypass GuardDuty pentest findings via botocore user-agent#503
Frichetten merged 1 commit intoHacking-the-Cloud:mainfrom
raajheshkannaa:feat/guardduty-useragent-bypass

Conversation

@raajheshkannaa
Copy link
Copy Markdown
Contributor

@raajheshkannaa raajheshkannaa commented Mar 24, 2026

Closes #453

Summary

  • New article covering how GuardDuty detects pentest distros via user-agent strings in CloudTrail
  • Technique: patching boto3 session user_agent fields to strip OS identifiers
  • Working Python code example
  • Limitations section: SDK only, relies on botocore internals, user-agent is one of many signals
  • Detection guidance for defenders: baseline user-agent patterns, treat field as attacker-controlled
  • mkdocs build passes cleanly

Test plan

  • Article renders correctly with mkdocs
  • Code examples are syntactically valid Python
  • Limitations and detection sections provide balanced coverage

@raajheshkannaa raajheshkannaa force-pushed the feat/guardduty-useragent-bypass branch from 7d66fbc to 3c9c865 Compare March 24, 2026 20:41
@raajheshkannaa
Add article: Bypass GuardDuty Pentest Findings via Botocore Config
fcc6f85 
Covers overriding the botocore user-agent string in boto3 to avoid
triggering GuardDuty PenTest findings (Kali, Parrot, Pentoo) without
needing an intercepting proxy. Includes code example, limitations,
and detection guidance for defenders.

Closes Hacking-the-Cloud#453
@raajheshkannaa raajheshkannaa force-pushed the feat/guardduty-useragent-bypass branch from 3c9c865 to fcc6f85 Compare April 1, 2026 02:01
@Frichetten
Copy link
Copy Markdown
Contributor

Frichetten commented Apr 6, 2026

Hey Raajesh, my apologies! I completely missed this PR. Looks good to me, as long as the CI passes I will merge. Thank you again for your time submimtting!

@Frichetten Frichetten merged commit 51a15d6 into Hacking-the-Cloud:main Apr 6, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bypass GuardDuty Pentest Findings for the AWS CLI - Botocore method.

2 participants

@raajheshkannaa @Frichetten