-
Identifies usage of the AWS CLI from a client reporting a user agent string indicating the request was made from a Kali Linux distribution. Kali Linux is commonly used for offensive security testing and adversary tradecraft. While not inherently malicious, AWS CLI activity originating from Kali is uncommon in most production environments and may indicate compromised credentials, unauthorized access, or post-exploitation activity using valid cloud accounts.
Read More -
This rule detects when a JavaScript file is uploaded in an S3 static site directory (
static/js/) by an IAM user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious scripts into a static website frontend.
Read More