trufflehog is a legitimate open-source tool used by security professionals and developers to search for sensitive information, such as passwords, api keys, and other secrets, within code repositories. it is commonly employed during security assessments and code reviews to identify potential vulnerabilities.

t1003
t1555
cross-platform
elastic

Techniques

T1003
T1555

Sample rules

Credential Access via TruffleHog Execution

source: elastic
technicques:
- T1003
- T1555

Description

This rule detects the execution of TruffleHog, a tool used to search for high-entropy strings and secrets in code repositories, which may indicate an attempt to access credentials. This tool was abused by the Shai-Hulud worm to search for credentials in code repositories.

Detection logic

process where event.type == "start" and process.name : ("trufflehog.exe", "trufflehog") and
process.args == "--results=verified" and process.args == "--json" and process.args == "filesystem"