Why doesn't access from Kali Linux appear in GuardDuty


I have a Kali OS running as a docker container. From this I ssh into an Ubuntu machine which is a managed instance and is appearing in GuardDuty for the other tests i have done (Custom threat list)

I ssh into this ubuntu from kali linux. I queried the EC2 instances and S3 buckets from CLI.

But none of these activities appeared as suspicious in the AWS GuardDuty.

I was expecting it to come as a finding, as this could be a case of pilfered credentials used to access this AWS account from an attacker OS.

It should have at least picked up the S3 access in this category i think: PenTest:S3/KaliLinux

asked 2 months ago109 views
1 Answer

Are you running the AWS CLI commands from within the Ubuntu machine after SSH'ing into it? If so, based on the Amazon GuardDuty docs for PenTest:S3/KaliLinux, this sounds like expected behavior. In this case, the API requests are executing in the context of the Ubuntu instance and will appear to originate from that OS (not Kali).

If you're able to, you may want to try installing the AWS CLI in your Kali Linux container and query the S3 APIs from it directly. I would expect this approach to trigger the GuardDuty rules you're looking for in your testing.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions