detection.wiki

Detection rules › Panther

AWS STS GetCallerIdentity via TruffleHog

Severity
medium
Log types
AWS.CloudTrail
Tags
AWS, AWS STS, Discovery:Account Discovery
Reference
https://github.com/trufflesecurity/trufflehog
Source
github.com/panther-labs/panther-analysis

Detects AWS STS GetCallerIdentity calls made by TruffleHog, a credential scanning tool. Threat actors use TruffleHog to validate whether leaked or stolen AWS access keys are still active. A GetCallerIdentity call with a TruffleHog user agent indicates that credentials from this account have been discovered externally and are being tested for validity.

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1087.004 Account Discovery: Cloud Account

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body yaml

AnalysisType: rule
Filename: aws_sts_getcalleridentity_trufflehog.py
RuleID: "AWS.STS.GetCallerIdentity.TruffleHog"
DisplayName: "AWS STS GetCallerIdentity via TruffleHog"
Enabled: true
LogTypes:
  - AWS.CloudTrail
Tags:
  - AWS
  - AWS STS
  - Discovery:Account Discovery
Reports:
  MITRE ATT&CK:
    - TA0007:T1087.004
Severity: Medium
Description: >
  Detects AWS STS GetCallerIdentity calls made by TruffleHog, a credential scanning
  tool. Threat actors use TruffleHog to validate whether leaked or stolen AWS access
  keys are still active. A GetCallerIdentity call with a TruffleHog user agent
  indicates that credentials from this account have been discovered externally and
  are being tested for validity.
Runbook: |
  1. Query CloudTrail for all API calls using the same userIdentity:accessKeyId in the 24 hours before and after this alert to assess if the credential has been used for unauthorized actions
  2. Check if sourceIPAddress appears in threat intelligence feeds or is associated with known scanning infrastructure
  3. Find all other alerts associated with this userIdentity:arn in the past 7 days to determine the scope of potential credential compromise
Reference: https://github.com/trufflesecurity/trufflehog
SummaryAttributes:
  - userAgent
  - sourceIpAddress
  - recipientAccountId
  - p_any_aws_arns
DedupPeriodMinutes: 60
Threshold: 1
Tests:
  - Name: TruffleHog GetCallerIdentity
    ExpectedResult: true
    Log:
      {
        "awsRegion": "us-east-1",
        "eventName": "GetCallerIdentity",
        "eventSource": "sts.amazonaws.com",
        "eventTime": "2024-01-15T10:30:00Z",
        "eventType": "AwsApiCall",
        "recipientAccountId": "123456789012",
        "sourceIPAddress": "198.51.100.42",
        "userAgent": "TruffleHog",
        "userIdentity": {
          "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
          "accountId": "123456789012",
          "arn": "arn:aws:iam::123456789012:user/compromised-user",
          "type": "IAMUser",
          "userName": "compromised-user"
        }
      }
  - Name: TruffleHog User Agent Variant
    ExpectedResult: true
    Log:
      {
        "awsRegion": "us-east-1",
        "eventName": "GetCallerIdentity",
        "eventSource": "sts.amazonaws.com",
        "eventTime": "2024-01-15T10:30:00Z",
        "eventType": "AwsApiCall",
        "recipientAccountId": "123456789012",
        "sourceIPAddress": "198.51.100.42",
        "userAgent": "trufflehog/3.63.0",
        "userIdentity": {
          "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
          "accountId": "123456789012",
          "arn": "arn:aws:iam::123456789012:user/compromised-user",
          "type": "IAMUser",
          "userName": "compromised-user"
        }
      }
  - Name: Normal GetCallerIdentity
    ExpectedResult: false
    Log:
      {
        "awsRegion": "us-east-1",
        "eventName": "GetCallerIdentity",
        "eventSource": "sts.amazonaws.com",
        "eventTime": "2024-01-15T10:30:00Z",
        "eventType": "AwsApiCall",
        "recipientAccountId": "123456789012",
        "sourceIPAddress": "10.0.0.1",
        "userAgent": "aws-cli/2.15.0",
        "userIdentity": {
          "type": "IAMUser",
          "userName": "admin-user"
        }
      }
  - Name: Different STS Event with TruffleHog Agent
    ExpectedResult: false
    Log:
      {
        "awsRegion": "us-east-1",
        "eventName": "AssumeRole",
        "eventSource": "sts.amazonaws.com",
        "eventTime": "2024-01-15T10:30:00Z",
        "eventType": "AwsApiCall",
        "recipientAccountId": "123456789012",
        "sourceIPAddress": "198.51.100.42",
        "userAgent": "TruffleHog",
        "userIdentity": {
          "type": "IAMUser",
          "userName": "compromised-user"
        }
      }

Detection logic

Condition

eventSource eq "sts.amazonaws.com"
eventName eq "GetCallerIdentity"
userAgent contains "trufflehog"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
eventNameeq
  • GetCallerIdentity
eventSourceeq
  • sts.amazonaws.com
userAgentcontains
  • trufflehog

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
eventName
eventSource
awsRegion
recipientAccountId
sourceIPAddress
userAgent
userIdentity
arnuserIdentity.arn