How to Avoid Detection by Modifying AWS CLI User-Agent
Introduction
When performing security assessments or penetration tests on AWS environments, CloudTrail and GuardDuty are common monitoring services that log suspicious activity. One detection method they use is analyzing the User-Agent string sent by the AWS CLI.
While certain elements of the User-Agent string cannot be changed at runtime, such as platform information, additional metadata can be appended via environment variables like AWS_EXECUTION_ENV. However, a more effective approach is to modify the AWS CLI source code and recompile it, ensuring the User-Agent string does not raise red flags.
This guide explains how to achieve this by recompiling AWS CLI, a method that is more efficient than using Burp Suite as detailed in Hacking The Cloud.
Understanding AWS CLI User-Agent Structure
The AWS CLI relies on botocore, which builds the User-Agent string dynamically. Since AWS CLI is distributed as a precompiled package, users cannot modify certain parts of this string at runtime. The Linux distribution, for example, is automatically detected and cannot be overridden by environment variables.
Recompiling AWS CLI to Modify User-Agent
To fully control the User-Agent, follow these steps to download, modify, and rebuild AWS CLI.
1. Download the latest AWS CLI source sode
curl -o awscli.tar.gz https://awscli.amazonaws.com/awscli.tar.gz2. Extract and enter the source directory
tar -xzf awscli.tar.gz
cd awscli-2.X.X3. Create a Virtual Environment and Activate It
virtualenv venv -p python3
source venv/bin/activate4. Run Configuration with this argument which will download dependencies at building time:
./configure --with-download-deps5. Modify the User-Agent Distribution Info
The Linux distribution information is set in awscli/clidriver.py. Modify this function as follows:
def _get_linux_distribution():
linux_distribution = 'ubuntu' # Hardcode to avoid detection
# Delete or comment all lines in between
return linux_distributionThis ensures that AWS CLI reports itself as an Ubuntu-based installation, even if used on Kali/Parrot Linux or other distributions.
6. Build and Install the Modified AWS CLI
make
sudo make installVerifying the Changes
To check if the AWS CLI is now reporting the modified User-Agent, run the following command:
aws s3 ls --debug 2>&1 | grep User-AgentExpected Output (Example)
2025-02-14 06:31:35,005 - MainThread - botocore.endpoint - DEBUG -
Making request for OperationModel(name=ListBuckets) with params:
{'url_path': '/', 'query_string': {}, 'method': 'GET', 'headers':
{'User-Agent': 'aws-cli/2.24.4 md/awscrt#0.23.8 ua/2.0 os/linux#6.11.2-amd64
md/arch#x86_64 lang/python#3.12.8 md/pyimpl#CPython cfg/retry-mode#standard
md/installer#source-sandbox md/distrib#ubuntu md/prompt#off
md/command#s3.ls'}, ...}Notice that the md/distrib#ubuntu value now appears, which can help blend activity into production environments.
Conclusion
By recompiling AWS CLI, we can modify its User-Agent string in a way that is resistant to simple rules based on User-Agent in GuardDuty or any other SIEM that ingests CloudTrail logs. This technique provides a more efficient approach than using Burp Suite for interception and rewriting requests. Security professionals and penetration testers can leverage this method to avoid raising immediate alerts during AWS assessments.
