AWS Java_Ghost security group creation attempt

Documentos > Datadog Security > OOTB Rules > AWS Java_Ghost security group creation attempt

Classification:

attack

Tactic:

Technique:

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an attempt to create an AWS security group called “Java_Ghost” is observed.

Strategy

Monitor CloudTrail and detect when an attempt to create an AWS security group called “Java_Ghost” has been observed. Datadog’s security research team has assessed with high confidence that an occurrence of this event likely means that identity {{@userIdentity.arn}} has been compromised. Recent research has indicated that this behaviour may act as a calling card for a specific attacker group.

Triage and response

Determine other actions taken by the identity {{@userIdentity.arn}} by looking at past activity and the types of API calls occurring.
Begin your company’s incident response process and an investigation.

Changelog

25 April 2025 - updated rule query to include security group description We Are There But Not Visible.