Elastic Security Detection Rules

AWS Suspicious User Agent Fingerprint

Last updated a month ago on 2026-04-10
Created a year ago on 2025-04-11

About

Identifies successful AWS API calls where the CloudTrail user agent indicates offensive tooling or automated credential verification. This includes the AWS CLI or Boto3 reporting a Kali Linux distribution fingerprint (`distrib#kali`), and clients that identify as TruffleHog, which is commonly used to validate leaked secrets against live AWS APIs. These patterns are uncommon for routine production workloads and may indicate compromised credentials, unauthorized access, or security tooling operating outside approved scope.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailTactic: Initial AccessUse Case: Cloud Threat DetectionLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples
Authorized penetration tests, red team exercises, or research activity may originate from Kali Linux. Internal secret scanning pipelines may run TruffleHog with permission to reach AWS for verification. Validate the IAM principal, source network, change records, and whether the activity matches documented security or DevSecOps workflows.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
any where data_stream.dataset == "aws.cloudtrail"
  and event.outcome == "success"
  and (
    (
      stringContains(user_agent.original, "distrib#kali")
      or stringContains(user_agent.original, "+kali")
      or stringContains(user_agent.original, "kali-amd64")
      or stringContains(user_agent.original, "kali-arm64")
    ) or (
      stringContains(user_agent.original, "TruffleHog")
      or stringContains(user_agent.original, "trufflehog")
    )
  )

Install detection rules in Elastic Security

Detect AWS Suspicious User Agent Fingerprint in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).