448d1cdcd9
- install_opencode: deploys 29 personas as agents + 1011 skills to
~/.config/opencode/{agents,skills}/. Uses OpenCode's markdown+YAML
agent format (mode/color/permission) and SKILL.md format.
- Topic filter with sensible defaults (drops marketing/biz ~514 skills).
CLI: --opencode-topics security-offensive,coding-backend,...
- Clone of swisskyrepo/InternalAllTheThings (168 MD, 1.7MB) added to
_shared/ as a reference trove for AD attack paths, ADCS ESC1-15,
Kerberos delegation, NTLM relay/coerce, lateral movement, persistence.
- NEO redteam + VORTEX cloud-ad personas reference the new KB with
MITRE ATT&CK TTP mapping pointers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1.2 KiB
1.2 KiB
AWS - IOC & Detections
CloudTrail
Disable CloudTrail
aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator
Disable monitoring of events from global services
aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event
Disable Cloud Trail on specific regions
aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west
GuardDuty
OS User Agent
⚠️ When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.
Pacu bypass this problem by defining a custom User-Agent: pacu.py#L1473
boto3_session = boto3.session.Session()
ua = boto3_session._session.user_agent()
if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower(): # If the local OS is Kali/Parrot/Pentoo Linux
# GuardDuty triggers a finding around API calls made from Kali Linux, so let's avoid that...
self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...')