authorized security assessments, red team exercises, or defensive research activities may involve the use of kali linux. validate whether the iam principal, source network, and activity scope align with approved testing or security operations. any kali-originated activity outside documented security workflows should be investigated.

t1078
aws
elastic

Techniques

T1078

Sample rules

AWS CLI with Kali Linux Fingerprint Identified

source: elastic
technicques:
- T1078

Description

Identifies usage of the AWS CLI from a client reporting a user agent string indicating the request was made from a Kali Linux distribution. Kali Linux is commonly used for offensive security testing and adversary tradecraft. While not inherently malicious, AWS CLI activity originating from Kali is uncommon in most production environments and may indicate compromised credentials, unauthorized access, or post-exploitation activity using valid cloud accounts.

Detection logic

any where event.dataset == "aws.cloudtrail"
  and user_agent.name: ("aws-cli", "Boto3")
  and stringContains (user_agent.original, "distrib#kali")
  and event.outcome == "success"