LoFP LoFP / trufflehog is a legitimate open-source tool used by security professionals and developers to search for sensitive information, such as passwords, api keys, and other secrets, within code repositories. it is commonly employed during security assessments and code reviews to identify potential vulnerabilities.

Techniques

Sample rules

Credential Access via TruffleHog Execution

Description

This rule detects the execution of TruffleHog, a tool used to search for high-entropy strings and secrets in code repositories, which may indicate an attempt to access credentials. This tool was abused by the Shai-Hulud worm to search for credentials in code repositories.

Detection logic

process where event.type == "start" and process.name : ("trufflehog.exe", "trufflehog") and
process.args == "--results=verified" and process.args == "--json" and process.args == "filesystem"