AWS Suspicious User Agent Fingerprint

  1[metadata]
  2creation_date = "2025/04/11"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies successful AWS API calls where the CloudTrail user agent indicates offensive tooling or automated credential
 11verification. This includes the AWS CLI or Boto3 reporting a Kali Linux distribution fingerprint (`distrib#kali`), and
 12clients that identify as TruffleHog, which is commonly used to validate leaked secrets against live AWS APIs. These
 13patterns are uncommon for routine production workloads and may indicate compromised credentials, unauthorized access, or
 14security tooling operating outside approved scope.
 15"""
 16false_positives = [
 17    """
 18    Authorized penetration tests, red team exercises, or research activity may originate from Kali Linux. Internal
 19    secret scanning pipelines may run TruffleHog with permission to reach AWS for verification. Validate the IAM
 20    principal, source network, change records, and whether the activity matches documented security or DevSecOps
 21    workflows.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "AWS Suspicious User Agent Fingerprint"
 29note = """## Triage and Analysis
 30
 31### Investigating AWS Suspicious User Agent Fingerprint
 32
 33AWS CloudTrail records the user agent string for API requests, which can reveal the OS distribution and client tooling.
 34Two high-signal patterns this rule covers are:
 35
 36- **Kali Linux fingerprint** — When the AWS CLI or Boto3 reports `distrib#kali`, the request likely came from a Kali
 37  environment. Kali is widely used for penetration testing and adversarial tradecraft, so this is worth correlating with
 38  identity, network context, and sensitivity of API actions.
 39- **TruffleHog** — TruffleHog identifies itself in the user agent when verifying whether recovered credentials are still
 40  valid. Observing it against your account may indicate leaked keys are being tested, including through supply-chain or
 41  secret-scanning abuse by a third party.
 42
 43This detection focuses on **successful** API activity. Evaluate who performed the action, what was accessed or modified,
 44and whether the source and tooling align with expectations.
 45
 46### Possible investigation steps
 47
 48**Identify the actor**
 49- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which IAM
 50  principal was used.
 51- Check whether this principal normally uses CLI/SDK clients and whether Kali or TruffleHog is ever expected for their role.
 52
 53**Review access patterns and actions**
 54- Examine API calls associated with the matched user agent for high-risk activity such as IAM changes, data access,
 55  snapshot sharing, logging modification, or persistence-related actions.
 56- Look for sequences indicating initial access or expansion, such as `GetSessionToken`, `AssumeRole`, or privilege
 57  escalation attempts.
 58- Determine whether the activity scope aligns with the principal’s intended permissions and business function.
 59
 60**Inspect source network and tooling context**
 61- Review `source.ip`, `source.geo` fields, and ASN to determine whether the request originated from an expected corporate
 62  network, VPN, CI/CD egress, or known security testing infrastructure.
 63- Analyze `user_agent.original` to confirm which pattern matched (`distrib#kali` vs `TruffleHog`) and whether usage looks
 64  interactive, scripted, or scanner-driven.
 65- Sudden shifts from console-based access to CLI from an offensive distribution, or first-time TruffleHog against the
 66  account, may indicate credential compromise or unauthorized scanning.
 67
 68**Correlate with surrounding activity**
 69- Search for additional CloudTrail events tied to the same access key or session before and after this detection.
 70- Look for evidence of follow-on actions such as resource creation, configuration changes, or attempts to disable logging
 71  and monitoring services.
 72- Assess whether the activity represents a single isolated request or part of a broader behavioral chain.
 73
 74### False positive analysis
 75
 76- Internal red team or authorized assessments may produce Kali-based AWS CLI or SDK traffic. Confirm scope, timing, and
 77  authorization.
 78- Organizational use of TruffleHog in CI to validate rotated keys or scan artifacts may generate this signal; restrict
 79  exceptions to known roles, repositories, and egress IPs where possible.
 80
 81### Response and remediation
 82
 83- If the activity is unauthorized, immediately revoke or rotate the affected access keys or invalidate the active
 84  session.
 85- Review IAM permissions associated with the identity and reduce scope where possible to enforce least privilege.
 86- Investigate for additional indicators of compromise, including unusual role assumptions, new credential creation, or
 87  data access from the same identity.
 88- Notify security operations and incident response teams if the activity aligns with known adversary behaviors or appears
 89  part of a larger intrusion.
 90- Consider adding guardrails or conditional access controls (such as source IP restrictions or MFA enforcement) for
 91  sensitive IAM principals.
 92
 93### Additional information
 94- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
 95- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
 96- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 97"""
 98references = [
 99    "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html",
100    "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/",
101    "https://trufflesecurity.com/blog/trufflehog-in-your-logs",
102    "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise",
103]
104risk_score = 47
105rule_id = "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2"
106severity = "medium"
107tags = [
108    "Domain: Cloud",
109    "Data Source: AWS",
110    "Data Source: Amazon Web Services",
111    "Data Source: AWS CloudTrail",
112    "Tactic: Initial Access",
113    "Use Case: Cloud Threat Detection",
114    "Resources: Investigation Guide",
115]
116timestamp_override = "event.ingested"
117type = "eql"
118
119query = '''
120any where data_stream.dataset == "aws.cloudtrail"
121  and event.outcome == "success"
122  and (
123    (
124      stringContains(user_agent.original, "distrib#kali")
125      or stringContains(user_agent.original, "+kali")
126      or stringContains(user_agent.original, "kali-amd64")
127      or stringContains(user_agent.original, "kali-arm64")
128    ) or (
129      stringContains(user_agent.original, "TruffleHog")
130      or stringContains(user_agent.original, "trufflehog")
131    )
132  )
133'''
134
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138
139[[rule.threat.technique]]
140id = "T1078"
141name = "Valid Accounts"
142reference = "https://attack.mitre.org/techniques/T1078/"
143
144[[rule.threat.technique.subtechnique]]
145id = "T1078.004"
146name = "Cloud Accounts"
147reference = "https://attack.mitre.org/techniques/T1078/004/"
148
149[rule.threat.tactic]
150id = "TA0001"
151name = "Initial Access"
152reference = "https://attack.mitre.org/tactics/TA0001/"
153
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156
157[[rule.threat.technique]]
158id = "T1078"
159name = "Valid Accounts"
160reference = "https://attack.mitre.org/techniques/T1078/"
161
162[[rule.threat.technique.subtechnique]]
163id = "T1078.004"
164name = "Cloud Accounts"
165reference = "https://attack.mitre.org/techniques/T1078/004/"
166
167[rule.threat.tactic]
168id = "TA0005"
169name = "Defense Evasion"
170reference = "https://attack.mitre.org/tactics/TA0005/"
171[rule.investigation_fields]
172field_names = [
173    "@timestamp",
174    "user.name",
175    "user_agent.original",
176    "source.ip",
177    "aws.cloudtrail.user_identity.arn",
178    "aws.cloudtrail.user_identity.type",
179    "aws.cloudtrail.user_identity.access_key_id",
180    "aws.cloudtrail.resources.arn",
181    "aws.cloudtrail.resources.type",
182    "event.action",
183    "event.outcome",
184    "cloud.account.id",
185    "cloud.region",
186    "aws.cloudtrail.request_parameters",
187    "aws.cloudtrail.response_elements"
188]