Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

AWS STS GetCallerIdentity Enumeration Via TruffleHog

Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Adan AlvarezCreated Sun Oct 129b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9dcloud
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
    selection:
        eventSource: 'sts.amazonaws.com'
        eventName: 'GetCallerIdentity'
        userAgent|contains: 'TruffleHog'
    condition: selection
False Positives

Legitimate internal security scanning or key validation that intentionally uses TruffleHog. Authorize and filter known scanner roles, IP ranges, or assumed roles as needed.

References
1
Resolving title…
rapid7.com
2
Resolving title…
docs.aws.amazon.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d
Status
experimental
Level
medium
Type
Detection
Created
Sun Oct 12
Author
Adan Alvarez
Path
rules/cloud/aws/cloudtrail/aws_sts_getcalleridentity_trufflehog.yml
Raw Tags
attack.discoveryattack.t1087.004
View on GitHub