AWS CLI with Kali Linux Fingerprint Identified

 1[metadata]
 2creation_date = "2025/04/11"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/04/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the usage of the AWS CLI with a user agent string containing `distrib#kali`, which suggests the request
11was made from a Kali Linux distribution. This may indicate offensive security tooling or unauthorized use of the AWS CLI
12from a potentially adversarial environment.
13"""
14false_positives = [
15    """
16    While rare, legitimate users or red teamers may use Kali Linux for security assessments. Confirm the identity of the
17    user, their purpose, and whether the activity was authorized.
18    """,
19]
20from = "now-9m"
21index = ["logs-aws.cloudtrail-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS CLI with Kali Linux Fingerprint Identified"
25note = """## Triage and Analysis
26
27### Investigating AWS CLI with Kali Linux Fingerprint Identified
28
29The `user_agent.original` field in AWS CloudTrail logs reveals the operating system and toolchain used to make API calls. The substring `distrib#kali` strongly implies the use of Kali Linux, a common OS used by offensive security professionals and adversaries.
30
31#### Possible Investigation Steps
32
33- Identify the User: Check `user.name`, `user.arn`, and `aws.cloudtrail.user_identity.*` to determine which IAM identity was used.
34- Review Access Pattern: Correlate API calls from this user agent with sensitive actions such as `PutObject`, `CreateUser`, `AttachUserPolicy`, etc.
35- Investigate Source IP: Examine whether the request originated from an expected network or a suspicious VPN or cloud provider address.
36- Check for Initial Access: Look for session tokens being issued (e.g., `GetSessionToken`) or reused (`AssumeRole`) prior to this event.
37
38### False Positive Analysis
39
40- Rare but possible in security assessments or internal red teaming. Validate the action context (user, IP, time of day, etc).
41
42### Response and Remediation
43
44- Revoke Credentials: If unauthorized, revoke keys or sessions immediately.
45- Harden IAM Policies: Restrict sensitive IAM privileges, especially if used by CI/CD or automation roles.
46- Alert on Repeat Usage: Add recurring monitoring for suspicious user agents including `kali`, `curl`, or known toolkits.
47"""
48references = [
49    "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html",
50    "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/",
51]
52risk_score = 47
53rule_id = "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2"
54severity = "medium"
55tags = [
56    "Domain: Cloud",
57    "Data Source: AWS",
58    "Data Source: Amazon Web Services",
59    "Data Source: AWS CloudTrail",
60    "Tactic: Initial Access",
61    "Use Case: Cloud Threat Detection",
62    "Resources: Investigation Guide",
63]
64timestamp_override = "event.ingested"
65type = "query"
66
67query = '''
68event.dataset: "aws.cloudtrail" and user_agent.original: (aws-cli*distrib#kali* or Boto3*distrib#kali*)
69'''
70
71
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1078"
76name = "Valid Accounts"
77reference = "https://attack.mitre.org/techniques/T1078/"
78[[rule.threat.technique.subtechnique]]
79id = "T1078.004"
80name = "Cloud Accounts"
81reference = "https://attack.mitre.org/techniques/T1078/004/"
82
83
84
85[rule.threat.tactic]
86id = "TA0001"
87name = "Initial Access"
88reference = "https://attack.mitre.org/tactics/TA0001/"