AWS STS GetCallerIdentity Enumeration Via TruffleHog

calendar Oct 23, 2025 · attack.discovery attack.t1087.004  ·
Share on: linkedin copy

Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.

Sigma rule (View on GitHub)

 1title: AWS STS GetCallerIdentity Enumeration Via TruffleHog
 2id: 9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d
 3status: experimental
 4description: |
 5    Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.
 6    Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys.
 7    Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.    
 8references:
 9    - https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
10    - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
11    - https://github.com/trufflesecurity/trufflehog
12author: Adan Alvarez @adanalvarez
13date: 2025-10-12
14tags:
15    - attack.discovery
16    - attack.t1087.004
17logsource:
18    product: aws
19    service: cloudtrail
20detection:
21    selection:
22        eventSource: 'sts.amazonaws.com'
23        eventName: 'GetCallerIdentity'
24        userAgent|contains: 'TruffleHog'
25    condition: selection
26falsepositives:
27    - Legitimate internal security scanning or key validation that intentionally uses TruffleHog. Authorize and filter known scanner roles, IP ranges, or assumed roles as needed.
28level: medium

References

Related rules

to-top