PUA - AWS TruffleHog Execution

Rule Info

Name
PUA - AWS TruffleHog Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
Reference
https://github.com/trufflesecurity/trufflehog
Date
2025-10-21 00:00:00
Modified
None
Id
a840e606-7c8c-4684-9bc1-eb6b6155127f
Tags
attack.credential-access attack.t1555 attack.t1003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a840e606-7c8c-4684-9bc1-eb6b6155127f

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5711 from @swachchhanda000 - Add `PUA - AWS TruffleHog Execution`
2025-10-29
6560a6cc2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022