AWS Suspicious User Agent Detected in CloudTrail
Successful AWS API calls with CloudTrail user agents indicating offensive tooling (Kali Linux) or credential verification (TruffleHog) can indicate compromised credentials or unauthorized access.
This threat brief focuses on detecting suspicious user agents within AWS CloudTrail logs, specifically those indicating the use of Kali Linux or TruffleHog. The presence of "distrib#kali" or "TruffleHog" in the user agent string of successful AWS API calls is flagged as anomalous behavior. Kali Linux is a penetration testing distribution, and its use within a standard AWS environment warrants investigation. TruffleHog is a tool used to find, and often validate, leaked credentials, suggesting potential compromise. This activity can indicate compromised credentials, unauthorized access, or security tooling operating outside approved scope. This detection is based on successful API calls, meaning credentials have already been validated.
Attack Chain
- An attacker obtains valid AWS credentials, possibly through credential stuffing, phishing, or exposed secrets.
- The attacker configures the AWS CLI or Boto3 on a Kali Linux instance.
- Alternatively, the attacker runs TruffleHog against a target AWS environment.
- The attacker uses the AWS CLI/Boto3 with Kali to make API calls or TruffleHog to validate keys.
- CloudTrail logs the API calls, capturing the user agent string including "distrib#kali" or "TruffleHog".
- The attacker performs actions such as enumerating resources (e.g.,
ListBuckets,DescribeInstances). - The attacker may attempt privilege escalation (e.g.,
CreateRole,AttachRolePolicy) or data access. - The attacker achieves their objective: data exfiltration, resource compromise, or denial of service.
Impact
A successful attack exploiting these techniques can lead to unauthorized access to sensitive data, compromise of critical AWS resources, and potential disruption of services. While no specific victim counts or sectors are mentioned in the source, the impact depends on the permissions associated with the compromised AWS credentials and the attacker's goals. The severity ranges from reconnaissance and data leakage to full-scale infrastructure compromise.
Recommendation
- Deploy the Sigma rule "AWS Suspicious User Agent - Kali Linux" to detect AWS API calls originating from Kali Linux environments (see rules section).
- Deploy the Sigma rule "AWS Suspicious User Agent - TruffleHog" to detect AWS API calls made with TruffleHog user agents (see rules section).
- Investigate any alerts generated by these rules, focusing on the IAM principal, source network, and API actions taken.
- Review the "False positive analysis" section of the original rule to reduce noise.
- Monitor CloudTrail logs for unusual activity following the detection of a suspicious user agent.
- Implement guardrails or conditional access controls (such as source IP restrictions or MFA enforcement) for sensitive IAM principals.
Detection coverage 2
AWS Suspicious User Agent - Kali Linux
mediumDetects AWS API calls originating from Kali Linux based on the user agent string in CloudTrail logs.
AWS Suspicious User Agent - TruffleHog
mediumDetects AWS API calls made with a TruffleHog user agent string in CloudTrail logs, indicating potential credential validation activity.
Detection queries are available on the platform. Get full rules →