diff --git a/Worm/NPM/Forge Web Credentials/launch_of_trufflehog.md b/Worm/NPM/Forge Web Credentials/launch_of_trufflehog.md
new file mode 100644
index 0000000..21cb1d4
--- /dev/null
+++ b/Worm/NPM/Forge Web Credentials/launch_of_trufflehog.md	
@@ -0,0 +1,12 @@
+# Trufflehog
+
+Use this query to look for Trufflehog tool in the environment.
+
+## EDR CDM [Cloud Console queries]
+
+### Search for Trufflehog tool launch
+
+```
+Device OS Type:100-Windows AND Event Type Id: 8001-Process Activity AND Disposition:1 AND Process Name:trufflehog.exe
+```
+