Skip to content

Hide Navigation Hide TOC

AWS STS GetCallerIdentity Enumeration Via TruffleHog (9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d)

Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog. Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys. Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.

Cluster A Galaxy A Cluster B Galaxy B Level
Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern AWS STS GetCallerIdentity Enumeration Via TruffleHog (9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d) Sigma-Rules 1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 2