Elastic Security Detection Rules

AWS CLI with Kali Linux Fingerprint Identified

Last updated 10 days ago on 2025-12-15
Created 8 months ago on 2025-04-11

About

Identifies usage of the AWS CLI from a client reporting a user agent string indicating the request was made from a Kali Linux distribution. Kali Linux is commonly used for offensive security testing and adversary tradecraft. While not inherently malicious, AWS CLI activity originating from Kali is uncommon in most production environments and may indicate compromised credentials, unauthorized access, or post-exploitation activity using valid cloud accounts.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailTactic: Initial AccessUse Case: Cloud Threat DetectionLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CKβ„’

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples
Authorized security assessments, red team exercises, or defensive research activities may involve the use of Kali Linux. Validate whether the IAM principal, source network, and activity scope align with approved testing or security operations. Any Kali-originated activity outside documented security workflows should be investigated.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
any where event.dataset == "aws.cloudtrail"
  and user_agent.name: ("aws-cli", "Boto3")
  and stringContains (user_agent.original, "distrib#kali")
  and event.outcome == "success"

Install detection rules in Elastic Security

Detect AWS CLI with Kali Linux Fingerprint Identified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).