PUA - TruffleHog Execution

Rule Info

Name
PUA - TruffleHog Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
Reference
https://github.com/trufflesecurity/trufflehog
Date
2025-09-24 00:00:00
Modified
None
Id
44030449-b0df-4c94-aae1-502359ab28ee
Tags
attack.discovery attack.credential-access attack.t1083 attack.t1552.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=44030449-b0df-4c94-aae1-502359ab28ee

Rule History

Author
Title
Date
Commit
RobertN87
Merge PR #5714 from @RobertN87 - Add missing MITRE tactics for 2 rules
2025-10-21
f69ac5c34
Swachchhanda Shrawan Poudel
Merge PR #5658 from @swachchhanda000 - feat: shai hulud worm targeting npm supply chain attack
2025-10-19
208fee50a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022