Detectionmediumexperimental

PUA - AWS TruffleHog Execution

Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Oct 21a840e606-7c8c-4684-9bc1-eb6b6155127fcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        userAgent: 'TruffleHog'
    condition: selection

False Positives

Legitimate use of TruffleHog by security teams for credential scanning.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1555 · Credentials from Password Stores T1003 · OS Credential Dumping

Rule Metadata

Rule ID

a840e606-7c8c-4684-9bc1-eb6b6155127f

Status

experimental

Level

medium

Type

Detection

Created

Tue Oct 21

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/cloud/aws/cloudtrail/aws_cloudtrail_pua_trufflehog.yml

Raw Tags

attack.credential-accessattack.t1555attack.t1003

View on GitHub