PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
Sigma rule (View on GitHub)
1title: PUA - AWS TruffleHog Execution
2id: a840e606-7c8c-4684-9bc1-eb6b6155127f
3status: experimental
4description: |
5 Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
6 It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
7references:
8 - https://github.com/trufflesecurity/trufflehog
9 - https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-10-21
12tags:
13 - attack.credential-access
14 - attack.t1555
15 - attack.t1003
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 userAgent: 'TruffleHog'
22 condition: selection
23falsepositives:
24 - Legitimate use of TruffleHog by security teams for credential scanning.
25level: medium
References
-
Find, verify, and analyze leaked credentials. Contribute to trufflesecurity/trufflehog development by creating an account on GitHub.
Read More -
Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments, Crimson Collective, who recently claimed to have stolen private repositories from Red Hat’s GitLab.
Read More
Related rules
- File Access Of Signal Desktop Sensitive Data
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock
- Linux Keylogging with Pam.d
- Capture Credentials with Rpcping.exe