---
title: AWS Java_Ghost security group creation attempt
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS Java_Ghost security group creation
  attempt
---

# AWS Java_Ghost security group creation attempt
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when an attempt to create an AWS security group called "Java_Ghost" is observed.

## Strategy{% #strategy %}

Monitor CloudTrail and detect when an attempt to create an AWS security group called "Java_Ghost" has been observed. Datadog's security research team has assessed with high confidence that an occurrence of this event likely means that identity `{{@userIdentity.arn}}` has been compromised. Recent [research](https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/) has indicated that this behaviour may act as a calling card for a specific attacker group.

## Triage and response{% #triage-and-response %}

1. Determine other actions taken by the identity `{{@userIdentity.arn}}` by looking at past activity and the types of API calls occurring.
1. Begin your company's incident response process and an investigation.

## Changelog{% #changelog %}

- 25 April 2025 - updated rule query to include security group description `We Are There But Not Visible`.