The detection rule identifies the execution of TruffleHog, a tool utilized for uncovering sensitive secrets across platforms like Git, Jira, and Slack. Originally intended for legitimate purposes such as CI pipeline integrations and security assessments, TruffleHog has been misused in attacks, notably the Shai-Hulud campaign, which aims to exploit npm packages and extract sensitive information. The rule operates within a Windows environment, detecting process creation events where the TruffleHog executable is involved or where associated CLI commands suggest its operation. It combines two detection mechanisms: one focuses on the execution of the TruffleHog binary itself, while the other examines command lines for common keywords indicative of TruffleHog usage. False positives can arise from legitimate uses by development or security teams, highlighting the necessity for context-aware analysis in any triggered alerts.