AWS Java_Ghost security group creation attempt

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an attempt to create an AWS security group called “Java_Ghost” is observed.

Strategy

Monitor CloudTrail and detect when an attempt to create an AWS security group called “Java_Ghost” has been observed. Datadog’s security research team has assessed with high confidence that an occurrence of this event likely means that identity {{@userIdentity.arn}} has been compromised. Recent research has indicated that this behaviour may act as a calling card for a specific attacker group.

Triage and response

  1. Determine other actions taken by the identity {{@userIdentity.arn}} by looking at past activity and the types of API calls occurring.
  2. Begin your company’s incident response process and an investigation.

Changelog

  • 25 April 2025 - updated rule query to include security group description We Are There But Not Visible.
PREVIEWING: aliciascott/DOCS-10683-Cloudcraft-CCM