Detectionhightest

HackTool - TruffleSnout Execution

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sat Aug 20Updated Mon Feb 1369ca006d-b9a9-47f5-80ff-ecd4d25d481awindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - OriginalFileName: 'TruffleSnout.exe'
        - Image|endswith: '\TruffleSnout.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1482 · Domain Trust Discovery

Rule Metadata

Rule ID

69ca006d-b9a9-47f5-80ff-ecd4d25d481a

Status

test

Level

high

Type

Detection

Created

Sat Aug 20

Modified

Mon Feb 13

Author

François Hubaut

Path

rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml

Raw Tags

attack.discoveryattack.t1482

View on GitHub