legitimate internal security scanning or key validation that intentionally uses trufflehog. authorize and filter known scanner roles, ip ranges, or assumed roles as needed.

t1087
t1087.004
aws
sigma

Techniques

t1087
t1087.004

Sample rules

AWS STS GetCallerIdentity Enumeration Via TruffleHog

source: sigma
technicques:
- t1087
- t1087.004

Description

Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.

Detection logic

condition: selection
selection:
  eventName: GetCallerIdentity
  eventSource: sts.amazonaws.com
  userAgent|contains: TruffleHog