PUA - TruffleHog Execution

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (( PROCESSNAME endswith "\trufflehog.exe" OR ORIGINALFILENAME = "trufflehog.exe" ) AND COMMANDLINE contains " docker --image , Git , GitHub , Jira , Slack , Confluence , SharePoint , s3 , gcs " AND COMMANDLINE contains " --results=verified" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Swachchhanda Shrawan Poudel (Nextron Systems)