From ae5ecd5346d32853af6eb39fddbc8983bf4c1473 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Fri, 3 Apr 2026 11:50:28 -0400
Subject: [PATCH] [Rule Tuning] AWS suspicious user agents (TruffleHog, Kali
 CLI/Boto3) (#5902)

* Expand AWS CloudTrail user-agent rule for TruffleHog and Kali

- Rename rule file to initial_access_suspicious_user_agent_detected_in_cloudtrail.toml
- Rule name: AWS Suspicious User Agent Fingerprint
- Match TruffleHog in user_agent.original (successful API calls)
- Retain Kali Linux distrib#kali fingerprint for aws-cli/Boto3
- Refresh narrative and references (incl. Kudelski Trivy supply-chain analysis)

Same rule_id f80ea920-f6f5-4c8a-9761-84ac97ec0cb2.

Made-with: Cursor

* Apply suggestion from @terrancedejesus
---
 ...us_user_agent_detected_in_cloudtrail.toml} | 86 ++++++++++++-------
 1 file changed, 55 insertions(+), 31 deletions(-)
 rename rules/integrations/aws/{initial_access_kali_user_agent_detected_with_aws_cli.toml => initial_access_suspicious_user_agent_detected_in_cloudtrail.toml} (52%)

diff --git a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml b/rules/integrations/aws/initial_access_suspicious_user_agent_detected_in_cloudtrail.toml
similarity index 52%
rename from rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml
rename to rules/integrations/aws/initial_access_suspicious_user_agent_detected_in_cloudtrail.toml
index 5b330a552..430d1bcaf 100644
--- a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml
+++ b/rules/integrations/aws/initial_access_suspicious_user_agent_detected_in_cloudtrail.toml
@@ -2,67 +2,81 @@
 creation_date = "2025/04/11"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/03/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies usage of the AWS CLI from a client reporting a user agent string indicating the request was made from a Kali
-Linux distribution. Kali Linux is commonly used for offensive security testing and adversary tradecraft. While not
-inherently malicious, AWS CLI activity originating from Kali is uncommon in most production environments and may
-indicate compromised credentials, unauthorized access, or post-exploitation activity using valid cloud accounts.
+Identifies successful AWS API calls where the CloudTrail user agent indicates offensive tooling or automated credential
+verification. This includes the AWS CLI or Boto3 reporting a Kali Linux distribution fingerprint (`distrib#kali`), and
+clients that identify as TruffleHog, which is commonly used to validate leaked secrets against live AWS APIs. These
+patterns are uncommon for routine production workloads and may indicate compromised credentials, unauthorized access, or
+security tooling operating outside approved scope.
 """
 false_positives = [
     """
-    Authorized security assessments, red team exercises, or defensive research activities may involve the use of Kali
-    Linux. Validate whether the IAM principal, source network, and activity scope align with approved testing or
-    security operations. Any Kali-originated activity outside documented security workflows should be investigated.
+    Authorized penetration tests, red team exercises, or research activity may originate from Kali Linux. Internal
+    secret scanning pipelines may run TruffleHog with permission to reach AWS for verification. Validate the IAM
+    principal, source network, change records, and whether the activity matches documented security or DevSecOps
+    workflows.
     """,
 ]
 from = "now-6m"
 index = ["logs-aws.cloudtrail-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "AWS CLI with Kali Linux Fingerprint Identified"
+name = "AWS Suspicious User Agent Fingerprint"
 note = """## Triage and Analysis
 
-### Investigating AWS CLI with Kali Linux Fingerprint Identified
+### Investigating AWS Suspicious User Agent Fingerprint
 
-AWS CloudTrail captures the user agent string for API requests, which can provide insight into the operating system and tooling used. The presence of `distrib#kali` strongly suggests the AWS CLI was executed from a Kali Linux environment. Kali is widely used for penetration testing, red teaming, and adversarial operations, making its appearance in AWS API telemetry noteworthy, especially when associated with sensitive actions or unexpected identities.
+AWS CloudTrail records the user agent string for API requests, which can reveal the OS distribution and client tooling.
+Two high-signal patterns this rule covers are:
 
-This detection focuses on successful AWS CLI activity and should be evaluated in the context of who performed the action, what was accessed or modified, and where the request originated.
+- **Kali Linux fingerprint** — When the AWS CLI or Boto3 reports `distrib#kali`, the request likely came from a Kali
+  environment. Kali is widely used for penetration testing and adversarial tradecraft, so this is worth correlating with
+  identity, network context, and sensitivity of API actions.
+- **TruffleHog** — TruffleHog identifies itself in the user agent when verifying whether recovered credentials are still
+  valid. Observing it against your account may indicate leaked keys are being tested, including through supply-chain or
+  secret-scanning abuse by a third party.
+
+This detection focuses on **successful** API activity. Evaluate who performed the action, what was accessed or modified,
+and whether the source and tooling align with expectations.
 
 ### Possible investigation steps
 
 **Identify the actor**
 - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which IAM
   principal was used.
-- Check whether this principal normally interacts with AWS via CLI tooling and whether Kali Linux usage is expected.
+- Check whether this principal normally uses CLI/SDK clients and whether Kali or TruffleHog is ever expected for their role.
 
 **Review access patterns and actions**
-- Examine the API calls associated with this user agent for high-risk activity such as IAM changes, data access, snapshot
-  sharing, logging modification, or persistence-related actions.
+- Examine API calls associated with the matched user agent for high-risk activity such as IAM changes, data access,
+  snapshot sharing, logging modification, or persistence-related actions.
 - Look for sequences indicating initial access or expansion, such as `GetSessionToken`, `AssumeRole`, or privilege
   escalation attempts.
-- Determine whether the activity scope aligns with the role’s intended permissions and business function.
+- Determine whether the activity scope aligns with the principal’s intended permissions and business function.
 
 **Inspect source network and tooling context**
 - Review `source.ip`, `source.geo` fields, and ASN to determine whether the request originated from an expected corporate
-  network, VPN, or known security testing infrastructure.
-- Analyze `user_agent.original` to confirm CLI usage and identify automation versus interactive usage.
-- Sudden shifts from console-based access to CLI usage from Kali may indicate credential compromise.
+  network, VPN, CI/CD egress, or known security testing infrastructure.
+- Analyze `user_agent.original` to confirm which pattern matched (`distrib#kali` vs `TruffleHog`) and whether usage looks
+  interactive, scripted, or scanner-driven.
+- Sudden shifts from console-based access to CLI from an offensive distribution, or first-time TruffleHog against the
+  account, may indicate credential compromise or unauthorized scanning.
 
 **Correlate with surrounding activity**
 - Search for additional CloudTrail events tied to the same access key or session before and after this detection.
-- Look for evidence of follow-on actions such as resource creation, configuration changes, or attempts to disable logging and monitoring services.
+- Look for evidence of follow-on actions such as resource creation, configuration changes, or attempts to disable logging
+  and monitoring services.
 - Assess whether the activity represents a single isolated request or part of a broader behavioral chain.
 
 ### False positive analysis
 
-- Internal red team or security testing activity may legitimately generate Kali-based AWS CLI traffic. Confirm scope,
-  timing, and authorization with security leadership.
-- Compare against historical behavior for the same IAM principal to determine whether Kali usage is a deviation from
-  baseline access patterns.
+- Internal red team or authorized assessments may produce Kali-based AWS CLI or SDK traffic. Confirm scope, timing, and
+  authorization.
+- Organizational use of TruffleHog in CI to validate rotated keys or scan artifacts may generate this signal; restrict
+  exceptions to known roles, repositories, and egress IPs where possible.
 
 ### Response and remediation
 
@@ -77,13 +91,15 @@ This detection focuses on successful AWS CLI activity and should be evaluated in
   sensitive IAM principals.
 
 ### Additional information
-- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
-- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
 - **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 """
 references = [
     "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html",
     "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/",
+    "https://trufflesecurity.com/blog/trufflehog-in-your-logs",
+    "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise",
 ]
 risk_score = 47
 rule_id = "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2"
@@ -102,9 +118,18 @@ type = "eql"
 
 query = '''
 any where event.dataset == "aws.cloudtrail"
-  and user_agent.name: ("aws-cli", "Boto3")
-  and stringContains (user_agent.original, "distrib#kali")
   and event.outcome == "success"
+  and (
+    (
+      stringContains(user_agent.original, "distrib#kali")
+      or stringContains(user_agent.original, "+kali")
+      or stringContains(user_agent.original, "kali-amd64")
+      or stringContains(user_agent.original, "kali-arm64")
+    ) or (
+      stringContains(user_agent.original, "TruffleHog")
+      or stringContains(user_agent.original, "trufflehog")
+    )
+  )
 '''
 
 
@@ -152,8 +177,8 @@ field_names = [
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "aws.cloudtrail.user_identity.access_key_id",
-    "aws.cloudtrail.resources.arn",     
-    "aws.cloudtrail.resources.type",   
+    "aws.cloudtrail.resources.arn",
+    "aws.cloudtrail.resources.type",
     "event.action",
     "event.outcome",
     "cloud.account.id",
@@ -161,4 +186,3 @@ field_names = [
     "aws.cloudtrail.request_parameters",
     "aws.cloudtrail.response_elements"
 ]
-