TruffleHog user agent observed in AWS

cloudtrail

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a TruffleHog user agent is seen in AWS CloudTrail management plane logs.

Strategy

This rule monitors AWS CloudTrail management plane logs for the GetCallerIdentity API call with the user agent TruffleHog. TruffleHog is a tool designed to scan source code repositories for leaked secrets. There is a credential verification feature to verify if the credential is still active. For AWS it performs a GetCallerIdentity API call. While this tool can be used legitimately by teams to scan for leaked secrets internally, it may also be used by attackers to identify leaked credentials.

Triage and response

  1. Determine if your organization is using the TruffleHog tool to scan for secrets.
  2. If it is an internal tool, notify the relevant team so that the leaked key can be triaged appropriately.
  3. If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential.
    • Investigate any actions taken by the identity {{@userIdentity.arn}}.
    • Work with the relevant teams to remove the key from any source code repositories.

Changelog

  • 10 November 2023 - updated severity of detection from Low to High
PREVIEWING: piotr_wolski/update-dsm-docs