Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Why doesn't access from Kali Linux appear in GuardDuty

0

I have a Kali OS running as a docker container. From this I ssh into an Ubuntu machine which is a managed instance and is appearing in GuardDuty for the other tests i have done (Custom threat list)

I ssh into this ubuntu from kali linux. I queried the EC2 instances and S3 buckets from CLI.

But none of these activities appeared as suspicious in the AWS GuardDuty.

I was expecting it to come as a finding, as this could be a case of pilfered credentials used to access this AWS account from an attacker OS.

It should have at least picked up the S3 access in this category i think: PenTest:S3/KaliLinux

Themen
Sicherheit, Identität & Konformität
Tags
Amazon GuardDuty
Sprache
English
Manu Muraleedharan
gefragt vor 2 Monaten86 Aufrufe
1 Antwort
1

Are you running the AWS CLI commands from within the Ubuntu machine after SSH'ing into it? If so, based on the Amazon GuardDuty docs for PenTest:S3/KaliLinux, this sounds like expected behavior. In this case, the API requests are executing in the context of the Ubuntu instance and will appear to originate from that OS (not Kali).

If you're able to, you may want to try installing the AWS CLI in your Kali Linux container and query the S3 APIs from it directly. I would expect this approach to trigger the GuardDuty rules you're looking for in your testing.

AWS
mwdehn
beantwortet vor 2 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt