Credential Access via TruffleHog Execution

 1[metadata]
 2creation_date = "2025/09/18"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/10/06"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the execution of TruffleHog, a tool used to search for high-entropy strings and secrets
11in code repositories, which may indicate an attempt to access credentials. This tool was abused by the Shai-Hulud
12worm to search for credentials in code repositories.
13"""
14false_positives = [
15    """
16    Trufflehog is a legitimate open-source tool used by security professionals and developers to search for sensitive
17    information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed
18    during security assessments and code reviews to identify potential vulnerabilities.
19    """,
20]
21from = "now-9m"
22index = ["logs-endpoint.events.process-*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Credential Access via TruffleHog Execution"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating Credential Access via TruffleHog Execution
32
33This rule flags TruffleHog executed to scan the local filesystem with verified JSON results, a direct path to harvesting secrets from source code, configs, and build artifacts. Attackers gain shell access on a developer workstation or CI runner, clone or point to internal repositories, run 'trufflehog --results=verified --json filesystem .' to enumerate valid tokens, and then pivot using the recovered keys to pull private code or authenticate to cloud and CI/CD systems.
34
35### Possible investigation steps
36
37- Review binary path, code signature/hash, parent process chain, initiating user, and host role (developer workstation vs CI runner) to quickly decide if the execution matches an approved secret-scanning job or an ad‑hoc run.
38- Determine the working directory and target path used by the scan to identify which repositories or configuration directories were inspected and whether sensitive files (e.g., .env, deployment keys, build secrets) were in scope.
39- Pivot to same-session activity to spot credential use or exfiltration by correlating subsequent outbound connections to git remotes or cloud/CI APIs and launches of developer CLIs like git, gh, aws, az, gcloud, docker, kubectl, or vault.
40- Look for output artifacts and exfil channels by checking for creation or deletion of JSON reports or archives, clipboard access, or piping of results to curl/wget/netcat and whether those artifacts were emailed or uploaded externally.
41- Cross-check VCS and CI/CD audit logs for this identity and host for unusual pushes, pipeline changes, or new tokens issued shortly after the scan, which may indicate worm-like propagation or credential abuse.
42
43### False positive analysis
44
45- An approved secret-scanning task by a developer or security engineer runs trufflehog with --results=verified --json filesystem to audit local code and configuration, producing benign activity on a development host.
46- An internal automation or scheduled job invokes trufflehog to baseline filesystem secrets for compliance or hygiene checks, leading to expected process-start logs without credential abuse.
47
48### Response and remediation
49
50- Immediately isolate the host or CI runner, terminate the trufflehog process and its parent shell/script, and block egress to git remotes and cloud APIs from that asset.
51- Collect the verified findings from trufflehog output (stdout or JSON file), revoke and rotate any listed secrets (GitHub personal access tokens, AWS access keys, Azure service principal credentials, CI job tokens), and clear credential caches on the host.
52- Remove unauthorized trufflehog binaries/packages, helper scripts, and scheduled tasks; delete report files and scanned working directories (local repo clones, .env/config folders), and purge shell history containing exfil commands like curl/wget/netcat.
53- Restore the workstation or runner from a known-good image if tampering is suspected, re-enroll endpoint protection, reissue required developer or CI credentials with least privilege, and validate normal pulls to internal git and cloud services.
54- Escalate to full incident response if trufflehog ran under a service account, on a build server/CI runner, or if any discovered secret was used to authenticate to external git remotes (e.g., github.com), cloud APIs, or private registries in the same session.
55- Harden by blocking unapproved trufflehog execution via application control, moving approved secret scanning to a locked-down pipeline, enforcing short-lived PATs and key rotation, enabling egress filtering from developer hosts/runners, and deploying fleet-wide detections for "trufflehog --results=verified --json filesystem".
56"""
57references = ["https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise"]
58risk_score = 21
59rule_id = "47595dea-452b-4d37-b82d-6dd691325139"
60severity = "low"
61tags = [
62    "Domain: Endpoint",
63    "OS: Linux",
64    "OS: Windows",
65    "OS: macOS",
66    "Use Case: Threat Detection",
67    "Tactic: Credential Access",
68    "Data Source: Elastic Defend",
69    "Resources: Investigation Guide",
70]
71timestamp_override = "event.ingested"
72type = "eql"
73query = '''
74process where event.type == "start" and process.name : ("trufflehog.exe", "trufflehog") and
75process.args == "--results=verified" and process.args == "--json" and process.args == "filesystem"
76'''
77
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80
81[[rule.threat.technique]]
82id = "T1003"
83name = "OS Credential Dumping"
84reference = "https://attack.mitre.org/techniques/T1003/"
85
86[[rule.threat.technique]]
87id = "T1555"
88name = "Credentials from Password Stores"
89reference = "https://attack.mitre.org/techniques/T1555/"
90
91[rule.threat.tactic]
92id = "TA0006"
93name = "Credential Access"
94reference = "https://attack.mitre.org/tactics/TA0006/"