AWS Java_Ghost security group creation attempt

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an attempt to create an AWS security group called “Java_Ghost” is observed.

Strategy

Monitor CloudTrail and detect when an attempt to create an AWS security group called “Java_Ghost” has been observed. Datadog’s security research team has assessed with high confidence that an occurrence of this event likely means that identity {{@userIdentity.arn}} has been compromised. An attacker may try to create a security group to maintain access to any EC2 instances created.

Triage and response

  1. Determine other actions taken by the identity {{@userIdentity.arn}} by looking at past activity and the types of API calls occurring.
  2. Begin your company’s incident response process and an investigation.
PREVIEWING: dgreen15/github-error-fix