TruffleHog
TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1580 | Cloud Infrastructure Discovery |
TruffleHog can enumerate AWS Infrastructure to include EC2 instances.[2] |
|
| Enterprise | T1526 | Cloud Service Discovery |
TruffleHog has the ability to scan code repositories and CI/CD platforms.[1][2] |
|
| Enterprise | T1619 | Cloud Storage Object Discovery |
TruffleHog can enumerate cloud storage environments including Amazon Web Service (AWS) S3 buckets and Google Cloud Storage buckets.[1][2] |
|
| Enterprise | T1059 | .009 | Command and Scripting Interpreter: Cloud API |
TruffleHog has leveraged Cloud CLI in order to enumerate and gather credentials.[2] |
| Enterprise | T1555 | .006 | Credentials from Password Stores: Cloud Secrets Management Stores |
TruffleHog can obtain secrets from AWS Secrets and GCP Secret Manager.[1][2] TruffleHog has also gathered passwords, secrets and API keys from source repositories, .env files, and git history.[3] |
| Enterprise | T1530 | Data from Cloud Storage |
TruffleHog has the ability to scan cloud storage services for credentials to include Amazon (AWS) S3 and Google Cloud Storage.[1][2] |
|
| Enterprise | T1213 | .001 | Data from Information Repositories: Confluence |
TruffleHog has collected credentials and data associated with Confluence.[2] |
| .002 | Data from Information Repositories: Sharepoint |
TruffleHog has searched SharePoint for data and credentials.[2] |
||
| .003 | Data from Information Repositories: Code Repositories |
TruffleHog has gathered data and credentials from code repositories.[2] |
||
| .005 | Data from Information Repositories: Messaging Applications |
TruffleHog has obtained data and credentials associated with messaging applications to include Slack.[2] |
||
| Enterprise | T1005 | Data from Local System |
TruffleHog has gathered data from home directories of the victim environment.[3] |
|
| Enterprise | T1083 | File and Directory Discovery |
TruffleHog has can browse and scan individual files and directories.[1][3][2] |
|
| Enterprise | T1528 | Steal Application Access Token |
TruffleHog has gathered access tokens and API tokens from CI/CD pipeline solutions and repositories.[1] |
|
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
TruffleHog has obtained credentials stored in config files and credential files in victim environments.[1][3] |
| .005 | Unsecured Credentials: Cloud Instance Metadata API |
TruffleHog can query the AWS and GCP metadata endpoints for instances and service credentials.[1][2] |
||
| Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
TruffleHog has used stolen credentials to log into cloud services to access cloud hosted repositories and other cloud storage solutions to discover sensitive data to include API Keys, tokens and credentials.[2] |