LoFP / authorized penetration tests, red team exercises, or research activity may originate from kali linux. internal secret scanning pipelines may run trufflehog with permission to reach aws for verification. validate the iam principal, source network, change records, and whether the activity matches documented security or devsecops workflows.

Techniques

• T1078

Sample rules

AWS Suspicious User Agent Fingerprint

• source: elastic
• technicques:
  • T1078

Description

Identifies successful AWS API calls where the CloudTrail user agent indicates offensive tooling or automated credential verification. This includes the AWS CLI or Boto3 reporting a Kali Linux distribution fingerprint (distrib#kali), and clients that identify as TruffleHog, which is commonly used to validate leaked secrets against live AWS APIs. These patterns are uncommon for routine production workloads and may indicate compromised credentials, unauthorized access, or security tooling operating outside approved scope.

Detection logic

any where event.dataset == "aws.cloudtrail"
  and event.outcome == "success"
  and (
    (
      stringContains(user_agent.original, "distrib#kali")
      or stringContains(user_agent.original, "+kali")
      or stringContains(user_agent.original, "kali-amd64")
      or stringContains(user_agent.original, "kali-arm64")
    ) or (
      stringContains(user_agent.original, "TruffleHog")
      or stringContains(user_agent.original, "trufflehog")
    )
  )