Adversaries may use TruffleHog to exfiltrate secrets from compromised systems by leveraging its ability to search for sensitive data across multiple platforms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or data exfiltration attempts using a legitimate tool with malicious intent.
Detection Rule
title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
- id: 44030449-b0df-4c94-aae1-502359ab28ee
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/trufflehog'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
imProcessCreate
| where TargetProcessName endswith "/trufflehog" or ((TargetProcessCommandLine contains " docker --image " or TargetProcessCommandLine contains " Git " or TargetProcessCommandLine contains " GitHub " or TargetProcessCommandLine contains " Jira " or TargetProcessCommandLine contains " Slack " or TargetProcessCommandLine contains " Confluence " or TargetProcessCommandLine contains " SharePoint " or TargetProcessCommandLine contains " s3 " or TargetProcessCommandLine contains " gcs ") and TargetProcessCommandLine contains " --results=verified")Scenario: Scheduled Secret Scan Using TruffleHog
Description: A legitimate scheduled job runs TruffleHog to scan for secrets in Git repositories as part of a DevOps pipeline.
Filter/Exclusion: process.name != "trufflehog" OR file.path contains "/.github/workflows/secret-scan.yml" OR process.parent.name contains "cron"
Scenario: Admin Task to Audit Secrets in Jira
Description: An admin runs TruffleHog to audit secrets stored in Jira as part of a security audit.
Filter/Exclusion: process.name != "trufflehog" OR file.path contains "/opt/jira/audit_script.sh" OR user.name contains "security_admin"
Scenario: TruffleHog Used in a CI/CD Pipeline for Security Compliance
Description: TruffleHog is executed in a CI/CD pipeline to ensure no secrets are committed to version control.
Filter/Exclusion: process.name != "trufflehog" OR file.path contains "/.github/workflows/security-checks.yml" OR process.parent.name contains "jenkins"
Scenario: TruffleHog Run Manually by Security Team for Incident Response
Description: A security analyst manually runs TruffleHog to investigate potential secret exposure during an incident.
Filter/Exclusion: process.name != "trufflehog" OR user.name contains "security_team" OR file.path contains "/tools/trufflehog/scan.sh"
Scenario: TruffleHog Integrated with Slack for Alerting
Description: TruffleHog is configured to send alerts to a Slack channel when secrets are found, as part of a monitoring setup.
Filter/Exclusion: process.name != "trufflehog" OR `file.path contains “/