diff --git a/content/aws/avoiding-detection/guardduty-pentest.md b/content/aws/avoiding-detection/guardduty-pentest.md
index 1ac82fb58..6624ea50f 100644
--- a/content/aws/avoiding-detection/guardduty-pentest.md
+++ b/content/aws/avoiding-detection/guardduty-pentest.md
@@ -1,86 +1,69 @@
---
author_name: Nick Frichette
-title: Bypass GuardDuty Pentest Findings
-description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string.
-hide:
- - toc
+title: Bypass GuardDuty Pentest Findings for the AWS CLI
+description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string when using the AWS CLI.
---
-# Bypass GuardDuty Pentest Findings
+# Bypass GuardDuty Pentest Findings for the AWS CLI
-When making AWS API requests on common penetration testing OS's GuardDuty will detect this and trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).
+!!! success "Thank You"
+ Thank you to [@yobroda](https://x.com/itsyobroda) for notifying me that the previous method in this article was outdated and suggesting a more reliable, long-term solution.
-This is caused by the user agent name that is passed in the API request. By modifying that we can prevent GuardDuty from detecting that we are operating from a "pentest" Linux distribution.
+As a cloud Penetration Tester or Red Teamer, we need to be aware of what artifacts we leave behind in the logs that we touch. One easy to overlook clue is the User-Agent value passed in AWS API requests. When using the AWS [CLI](https://aws.amazon.com/cli/) or [SDK](https://aws.amazon.com/tools/) to interact with AWS services, the User-Agent string is passed in the headers of the HTTP request. This string can be used to identify the tool or library making the request.
-!!! Warning
- If your assessment requires you to remain undetected it's probably easier to leverage a "safe" OS like Ubuntu, Mac OS, or Windows.
+This can give away the operating system you are using and may raises suspicion from defenders. For example, say you steal credentials from an EC2 instance running Linux and suddenly start making requests from a Mac. This suspicious activity could be noticed by automation and an alarm could be raised.
-To do this, identify the location of your ```session.py``` in the ```botocore``` package. For example, on a default Kali Linux install it can be found at ```/usr/lib/python3/dist-packages/awscli/botocore/session.py```.
+This is where AWS [GuardDuty](https://aws.amazon.com/guardduty/) comes in. GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. GuardDuty takes this idea a step further and has built-in detections for common penetration testing Linux distributions like Kali Linux, ParrotOS, and Pentoo Linux. If you make AWS API requests from one of these distributions, GuardDuty will trigger a [PenTest Finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux).
-On line [456](https://github.com/boto/botocore/blob/7de36c07ecec503f588ac27658b1795e83b67b75/botocore/session.py#L456) (at the time of writing), you should see the following.
+As you can imagine, this is not ideal. The good news is that the User-Agent string is entirely within our control. While this value is unfortunately something we cannot [natively](https://github.com/aws/aws-cli/issues/3990) configure with the AWS CLI, we can use external tooling to intercept our requests and modify them. In this article, we will explain how we can modify our User-Agent string when using the AWS CLI to avoid triggering GuardDuty alerts.
-``` py
- if truncate:
- return '%s/%s' % (self.user_agent_name, self.user_agent_version)
- base = '%s/%s Python/%s %s/%s' % (self.user_agent_name,
- self.user_agent_version,
- platform.python_version(),
- platform.system(),
- platform.release())
- if os.environ.get('AWS_EXECUTION_ENV') is not None:
- base += ' exec-env/%s' % os.environ.get('AWS_EXECUTION_ENV')
- if self.user_agent_extra:
- base += ' %s' % self.user_agent_extra
+!!! Note
+ In the following example we will use Burp Suite because it is freely available and commonly used. If you have an alternative suggestion, please open a pull request to add it.
- return base
-```
+## Burp Suite Setup and Usage
-To get around this, modify the code and replace it with legitimate user agent strings like those found in [Pacu](https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/user_agents.txt). With this capability you can mask your user agent to look like anything you want. Even arbitrary values like below.
-
-``` py hl_lines="12 13"
- if truncate:
- return '%s/%s' % (self.user_agent_name, self.user_agent_version)
- base = '%s/%s Python/%s %s/%s' % (self.user_agent_name,
- self.user_agent_version,
- platform.python_version(),
- platform.system(),
- platform.release())
- if os.environ.get('AWS_EXECUTION_ENV') is not None:
- base += ' exec-env/%s' % os.environ.get('AWS_EXECUTION_ENV')
- if self.user_agent_extra:
- base += ' %s' % self.user_agent_extra
- # Use any user-agent you wish for detection avoidance.
- base = "Boto3/1.9.106 Python/3.6.7 Linux/4.15.0-48-generic Botocore/1.12.156"
-
- return base
-```
+To begin, [download](https://portswigger.net/burp/communitydownload) and install Burp Suite Community Edition. With it running, navigate to the Proxy tab and click `Proxy settings`.
+
+Next, scroll to `HTTP match and replace rules`:
- { loading=lazy }
+ { loading=lazy }
-```platform.system()``` and ```platform.release()``` are similar to ```uname -o``` and ```uname -r```. On a stock Kali install it will generate the following values.
+From here, click `Add` and enter the following values:
+
+- Type: `Request header`
+- Match: `^User-Agent.*$`
+- Regex match: Should be checked
+- Replace: This can be any string of your choosing. Ensure you preprend `User-Agent: ` to the beginning of the string. For a list of potential User-Agent values, you can refer to this list from [Pacu](https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/user_agents.txt).
+
+Click `Test` to see an example of what your change would look like.
- { loading=lazy }
+ { loading=lazy }
-## Validation
+To finish, click `OK`. To ensure your new rule is enabled, scroll to the bottom of your match and replace rules.
-Base Kali user-agent output example:
+Next, we need to configure our AWS CLI to use Burp Suite as a proxy. This can be done by setting the `HTTP_PROXY` and `HTTPS_PROXY` environment variables. For example:
+```bash
+export HTTPS_PROXY=http://127.0.0.1:8080
+export HTTP_PROXY=http://127.0.0.1:8080
```
-$ aws --version
-aws-cli/2.12.0 Python/3.11.5 Linux/4.4.0-22621/x86_64.kali.2023 prompt/off
-```
-Modified user-agent output example:
+With this setup, all of your AWS CLI requests will be routed to Burp Suite, however you will likely encounter the following error:
```
-$ aws --version
-Boto3/1.9.106 Python/3.6.7 Linux/4.15.0-48-generic Botocore/1.12.156
+SSL validation failed for https://sts.us-east-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)
```
+This is because Burp Suite uses a self-signed certificate. There are multiple options to resolve this issue and I will defer to your professional discretion on which to use. You could, for example, [add](https://frichetten.com/blog/intercept-linux-cli-tool-traffic/) the self-signed certificate to your trusted certificates. Alternatively you could disable SSL verification with the AWS CLI using the `--no-verify-ssl` flag.
+
+Regardless of the method you choose, after making a request to the AWS API you should see the User-Agent string you configured appear in the associated CloudTrail logs.
+
- { loading=lazy }
-
\ No newline at end of file
+ { loading=lazy }
+
+
+With all of this in place, you can now make requests to the AWS API using the CLI without triggering GuardDuty alerts.
\ No newline at end of file
diff --git a/content/images/aws/avoiding-detection/guardduty-pentest/add-new-rule.png b/content/images/aws/avoiding-detection/guardduty-pentest/add-new-rule.png
new file mode 100644
index 000000000..e1e1341d4
Binary files /dev/null and b/content/images/aws/avoiding-detection/guardduty-pentest/add-new-rule.png differ
diff --git a/content/images/aws/avoiding-detection/guardduty-pentest/example-cloudtrail-log.png b/content/images/aws/avoiding-detection/guardduty-pentest/example-cloudtrail-log.png
new file mode 100644
index 000000000..517504faa
Binary files /dev/null and b/content/images/aws/avoiding-detection/guardduty-pentest/example-cloudtrail-log.png differ
diff --git a/content/images/aws/avoiding-detection/guardduty-pentest/example.png b/content/images/aws/avoiding-detection/guardduty-pentest/example.png
deleted file mode 100644
index 00e8acc6c..000000000
Binary files a/content/images/aws/avoiding-detection/guardduty-pentest/example.png and /dev/null differ
diff --git a/content/images/aws/avoiding-detection/guardduty-pentest/lines.jpg b/content/images/aws/avoiding-detection/guardduty-pentest/lines.jpg
deleted file mode 100644
index 233531ca4..000000000
Binary files a/content/images/aws/avoiding-detection/guardduty-pentest/lines.jpg and /dev/null differ
diff --git a/content/images/aws/avoiding-detection/guardduty-pentest/match-and-replace.png b/content/images/aws/avoiding-detection/guardduty-pentest/match-and-replace.png
new file mode 100644
index 000000000..c1b2c0018
Binary files /dev/null and b/content/images/aws/avoiding-detection/guardduty-pentest/match-and-replace.png differ
diff --git a/content/images/aws/avoiding-detection/guardduty-pentest/modified.jpg b/content/images/aws/avoiding-detection/guardduty-pentest/modified.jpg
deleted file mode 100644
index 942af2e35..000000000
Binary files a/content/images/aws/avoiding-detection/guardduty-pentest/modified.jpg and /dev/null differ