AWS CLI with Kali Linux Fingerprint Identified

  1[metadata]
  2creation_date = "2025/04/11"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies usage of the AWS CLI from a client reporting a user agent string indicating the request was made from a Kali
 11Linux distribution. Kali Linux is commonly used for offensive security testing and adversary tradecraft. While not
 12inherently malicious, AWS CLI activity originating from Kali is uncommon in most production environments and may
 13indicate compromised credentials, unauthorized access, or post-exploitation activity using valid cloud accounts.
 14"""
 15false_positives = [
 16    """
 17    Authorized security assessments, red team exercises, or defensive research activities may involve the use of Kali
 18    Linux. Validate whether the IAM principal, source network, and activity scope align with approved testing or
 19    security operations. Any Kali-originated activity outside documented security workflows should be investigated.
 20    """,
 21]
 22from = "now-6m"
 23index = ["logs-aws.cloudtrail-*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "AWS CLI with Kali Linux Fingerprint Identified"
 27note = """## Triage and Analysis
 28
 29### Investigating AWS CLI with Kali Linux Fingerprint Identified
 30
 31AWS CloudTrail captures the user agent string for API requests, which can provide insight into the operating system and tooling used. The presence of `distrib#kali` strongly suggests the AWS CLI was executed from a Kali Linux environment. Kali is widely used for penetration testing, red teaming, and adversarial operations, making its appearance in AWS API telemetry noteworthy, especially when associated with sensitive actions or unexpected identities.
 32
 33This detection focuses on successful AWS CLI activity and should be evaluated in the context of who performed the action, what was accessed or modified, and where the request originated.
 34
 35### Possible investigation steps
 36
 37**Identify the actor**
 38- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which IAM
 39  principal was used.
 40- Check whether this principal normally interacts with AWS via CLI tooling and whether Kali Linux usage is expected.
 41
 42**Review access patterns and actions**
 43- Examine the API calls associated with this user agent for high-risk activity such as IAM changes, data access, snapshot
 44  sharing, logging modification, or persistence-related actions.
 45- Look for sequences indicating initial access or expansion, such as `GetSessionToken`, `AssumeRole`, or privilege
 46  escalation attempts.
 47- Determine whether the activity scope aligns with the role’s intended permissions and business function.
 48
 49**Inspect source network and tooling context**
 50- Review `source.ip`, `source.geo` fields, and ASN to determine whether the request originated from an expected corporate
 51  network, VPN, or known security testing infrastructure.
 52- Analyze `user_agent.original` to confirm CLI usage and identify automation versus interactive usage.
 53- Sudden shifts from console-based access to CLI usage from Kali may indicate credential compromise.
 54
 55**Correlate with surrounding activity**
 56- Search for additional CloudTrail events tied to the same access key or session before and after this detection.
 57- Look for evidence of follow-on actions such as resource creation, configuration changes, or attempts to disable logging and monitoring services.
 58- Assess whether the activity represents a single isolated request or part of a broader behavioral chain.
 59
 60### False positive analysis
 61
 62- Internal red team or security testing activity may legitimately generate Kali-based AWS CLI traffic. Confirm scope,
 63  timing, and authorization with security leadership.
 64- Compare against historical behavior for the same IAM principal to determine whether Kali usage is a deviation from
 65  baseline access patterns.
 66
 67### Response and remediation
 68
 69- If the activity is unauthorized, immediately revoke or rotate the affected access keys or invalidate the active
 70  session.
 71- Review IAM permissions associated with the identity and reduce scope where possible to enforce least privilege.
 72- Investigate for additional indicators of compromise, including unusual role assumptions, new credential creation, or
 73  data access from the same identity.
 74- Notify security operations and incident response teams if the activity aligns with known adversary behaviors or appears
 75  part of a larger intrusion.
 76- Consider adding guardrails or conditional access controls (such as source IP restrictions or MFA enforcement) for
 77  sensitive IAM principals.
 78
 79### Additional information
 80- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 81- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 82- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 83"""
 84references = [
 85    "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html",
 86    "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/",
 87]
 88risk_score = 47
 89rule_id = "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2"
 90severity = "medium"
 91tags = [
 92    "Domain: Cloud",
 93    "Data Source: AWS",
 94    "Data Source: Amazon Web Services",
 95    "Data Source: AWS CloudTrail",
 96    "Tactic: Initial Access",
 97    "Use Case: Cloud Threat Detection",
 98    "Resources: Investigation Guide",
 99]
100timestamp_override = "event.ingested"
101type = "eql"
102
103query = '''
104any where event.dataset == "aws.cloudtrail"
105  and user_agent.name: ("aws-cli", "Boto3")
106  and stringContains (user_agent.original, "distrib#kali")
107  and event.outcome == "success"
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1078"
115name = "Valid Accounts"
116reference = "https://attack.mitre.org/techniques/T1078/"
117[[rule.threat.technique.subtechnique]]
118id = "T1078.004"
119name = "Cloud Accounts"
120reference = "https://attack.mitre.org/techniques/T1078/004/"
121
122
123
124[rule.threat.tactic]
125id = "TA0001"
126name = "Initial Access"
127reference = "https://attack.mitre.org/tactics/TA0001/"
128
129[rule.investigation_fields]
130field_names = [
131    "@timestamp",
132    "user.name",
133    "user_agent.original",
134    "source.ip",
135    "aws.cloudtrail.user_identity.arn",
136    "aws.cloudtrail.user_identity.type",
137    "aws.cloudtrail.user_identity.access_key_id",
138    "aws.cloudtrail.resources.arn",     
139    "aws.cloudtrail.resources.type",   
140    "event.action",
141    "event.outcome",
142    "cloud.account.id",
143    "cloud.region",
144    "aws.cloudtrail.request_parameters",
145    "aws.cloudtrail.response_elements"
146]