PUA - TruffleHog Execution

calendar Oct 21, 2025 · attack.discovery attack.credential-access attack.t1083 attack.t1552.001  ·
Share on: linkedin copy

Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.

Sigma rule (View on GitHub)

 1title: PUA - TruffleHog Execution
 2id: 44030449-b0df-4c94-aae1-502359ab28ee
 3related:
 4    - id: d7a650c4-226c-451e-948f-cc490db506aa
 5      type: similar
 6status: experimental
 7description: |
 8    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
 9    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
10    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.    
11references:
12    - https://github.com/trufflesecurity/trufflehog
13    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-09-24
16tags:
17    - attack.discovery
18    - attack.credential-access
19    - attack.t1083
20    - attack.t1552.001
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        Image|endswith: '\trufflehog.exe'
27    selection_cli_platform:
28        CommandLine|contains:
29            - ' docker --image '
30            - ' Git '
31            - ' GitHub '
32            - ' Jira '
33            - ' Slack '
34            - ' Confluence '
35            - ' SharePoint '
36            - ' s3 '
37            - ' gcs '
38    selection_cli_verified:
39        CommandLine|contains: ' --results=verified'
40    condition: selection_img or all of selection_cli_*
41falsepositives:
42    - Legitimate use of TruffleHog by security teams or developers.
43level: medium

References

Related rules

to-top