while rare, legitimate users or red teamers may use kali linux for security assessments. confirm the identity of the user, their purpose, and whether the activity was authorized.

t1078
aws
elastic

Techniques

T1078

Sample rules

AWS CLI with Kali Linux Fingerprint Identified

source: elastic
technicques:
- T1078

Description

Identifies the usage of the AWS CLI with a user agent string containing distrib#kali, which suggests the request was made from a Kali Linux distribution. This may indicate offensive security tooling or unauthorized use of the AWS CLI from a potentially adversarial environment.

Detection logic

event.dataset: "aws.cloudtrail" and user_agent.original: (aws-cli*distrib#kali* or Boto3*distrib#kali*)