Credential Access via TruffleHog Execution
This rule detects the execution of TruffleHog, a tool used to search for high-entropy strings and secrets in code repositories, which may indicate an attempt to access credentials. This tool was abused by the Shai-Hulud worm to search for credentials in code repositories.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/09/18"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/09/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the execution of TruffleHog, a tool used to search for high-entropy strings and secrets
11in code repositories, which may indicate an attempt to access credentials. This tool was abused by the Shai-Hulud
12worm to search for credentials in code repositories.
13"""
14false_positives = [
15 """
16 Trufflehog is a legitimate open-source tool used by security professionals and developers to search for sensitive
17 information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed
18 during security assessments and code reviews to identify potential vulnerabilities.
19 """,
20]
21from = "now-9m"
22index = ["logs-endpoint.events.process-*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Credential Access via TruffleHog Execution"
26references = ["https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise"]
27risk_score = 21
28rule_id = "47595dea-452b-4d37-b82d-6dd691325139"
29severity = "low"
30tags = [
31 "Domain: Endpoint",
32 "OS: Linux",
33 "OS: Windows",
34 "OS: macOS",
35 "Use Case: Threat Detection",
36 "Tactic: Credential Access",
37 "Data Source: Elastic Defend"
38]
39timestamp_override = "event.ingested"
40type = "eql"
41query = '''
42process where event.type == "start" and process.name : ("trufflehog.exe", "trufflehog") and
43process.args == "--results=verified" and process.args == "--json" and process.args == "filesystem"
44'''
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48
49[[rule.threat.technique]]
50id = "T1003"
51name = "OS Credential Dumping"
52reference = "https://attack.mitre.org/techniques/T1003/"
53
54[[rule.threat.technique]]
55id = "T1555"
56name = "Credentials from Password Stores"
57reference = "https://attack.mitre.org/techniques/T1555/"
58
59[rule.threat.tactic]
60id = "TA0006"
61name = "Credential Access"
62reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Certain npm packages were infected with self-replicating malware known as the "Shai-Hulud” worm. At this time, Elastic has found no evidence of compromise within Elastic’s software environment. Learn ...
Read More
Related rules
- Potential Cookies Theft via Browser Debugging
- Hosts File Modified
- WebServer Access Logs Deleted
- Active Directory Forced Authentication from Linux Host - SMB Named Pipes
- AWS SSM `SendCommand` with Run Shell Command Parameters