GitHub Trufflehog activity

github-telemetry

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1552-unsecured-credentials

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects usage of Trufflehog credential scanning tool against GitHub repositories.

Strategy

This rule monitors GitHub audit logs for user agent strings associated with Trufflehog use. The detection creates higher severity alerts when Trufflehog usage is combined with VPN or tunnel usage marked as suspicious or malicious by threat intelligence. Trufflehog is a legitimate security tool used to detect exposed credentials in code repositories; however, unauthorized usage may indicate reconnaissance activity or credential harvesting attempts.

Triage and response

  • Verify if {{@github.actor}} has legitimate authorization to perform security scanning activities on the affected repositories.
  • Review the specific repositories that were scanned to determine if they contain sensitive or proprietary code.
  • Examine any VPN or tunnel usage associated with the scanning activity to determine if it originates from expected security team infrastructure.
  • Determine if any credentials or secrets were actually discovered and potentially compromised during the scanning activity.