AWS STS GetCallerIdentity Enumeration Via TruffleHog

Rule Info

Name
AWS STS GetCallerIdentity Enumeration Via TruffleHog
Author
Adan Alvarez @adanalvarez
Description
Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
Reference
https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
Date
2025-10-12 00:00:00
Modified
None
Id
9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d
Tags
attack.discovery attack.t1087.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d

Rule History

Author
Title
Date
Commit
Adan Álvarez
Merge PR #5688 from @adanalvarez - AWS STS GetCallerIdentity Enumeration Via TruffleHog
2025-10-23
5929e67ed
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022