AWS Security ChangesHomeSearch

AWS guardduty high security documentation change

Service: guardduty · 2025-10-16 · Security-related high

File: guardduty/latest/ug/findings-runtime-monitoring.md

Summary

Added new finding type DefenseEvasion:Runtime/KernelModuleLoaded with high severity, detecting kernel module loading attempts

Security assessment

The change introduces documentation for a new security finding related to kernel module loading, which indicates potential kernel-level compromise. The high severity and explicit mention of threat actor access constitute concrete security evidence.

Diff

diff --git a/guardduty/latest/ug/findings-runtime-monitoring.md b/guardduty/latest/ug/findings-runtime-monitoring.md
index 53bebcef3..d2360f565 100644
--- a//guardduty/latest/ug/findings-runtime-monitoring.md
+++ b//guardduty/latest/ug/findings-runtime-monitoring.md
@@ -5 +5 @@
-CryptoCurrency:Runtime/BitcoinTool.BBackdoor:Runtime/C&CActivity.BUnauthorizedAccess:Runtime/TorRelayUnauthorizedAccess:Runtime/TorClientTrojan:Runtime/BlackholeTrafficTrojan:Runtime/DropPointCryptoCurrency:Runtime/BitcoinTool.B!DNSBackdoor:Runtime/C&CActivity.B!DNSTrojan:Runtime/BlackholeTraffic!DNSTrojan:Runtime/DropPoint!DNSTrojan:Runtime/DGADomainRequest.C!DNSTrojan:Runtime/DriveBySourceTraffic!DNSTrojan:Runtime/PhishingDomainRequest!DNSImpact:Runtime/AbusedDomainRequest.ReputationImpact:Runtime/BitcoinDomainRequest.ReputationImpact:Runtime/MaliciousDomainRequest.ReputationImpact:Runtime/SuspiciousDomainRequest.ReputationUnauthorizedAccess:Runtime/MetadataDNSRebindExecution:Runtime/NewBinaryExecutedPrivilegeEscalation:Runtime/DockerSocketAccessedPrivilegeEscalation:Runtime/RuncContainerEscapePrivilegeEscalation:Runtime/CGroupsReleaseAgentModifiedDefenseEvasion:Runtime/ProcessInjection.ProcDefenseEvasion:Runtime/ProcessInjection.PtraceDefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWriteExecution:Runtime/ReverseShellDefenseEvasion:Runtime/FilelessExecutionImpact:Runtime/CryptoMinerExecutedExecution:Runtime/NewLibraryLoadedPrivilegeEscalation:Runtime/ContainerMountsHostDirectoryPrivilegeEscalation:Runtime/UserfaultfdUsageExecution:Runtime/SuspiciousToolExecution:Runtime/SuspiciousCommandDefenseEvasion:Runtime/SuspiciousCommandDefenseEvasion:Runtime/PtraceAntiDebuggingExecution:Runtime/MaliciousFileExecutedExecution:Runtime/SuspiciousShellCreatedPrivilegeEscalation:Runtime/ElevationToRootDiscovery:Runtime/SuspiciousCommandPersistence:Runtime/SuspiciousCommandPrivilegeEscalation:Runtime/SuspiciousCommand
+CryptoCurrency:Runtime/BitcoinTool.BBackdoor:Runtime/C&CActivity.BUnauthorizedAccess:Runtime/TorRelayUnauthorizedAccess:Runtime/TorClientTrojan:Runtime/BlackholeTrafficTrojan:Runtime/DropPointCryptoCurrency:Runtime/BitcoinTool.B!DNSBackdoor:Runtime/C&CActivity.B!DNSTrojan:Runtime/BlackholeTraffic!DNSTrojan:Runtime/DropPoint!DNSTrojan:Runtime/DGADomainRequest.C!DNSTrojan:Runtime/DriveBySourceTraffic!DNSTrojan:Runtime/PhishingDomainRequest!DNSImpact:Runtime/AbusedDomainRequest.ReputationImpact:Runtime/BitcoinDomainRequest.ReputationImpact:Runtime/MaliciousDomainRequest.ReputationImpact:Runtime/SuspiciousDomainRequest.ReputationUnauthorizedAccess:Runtime/MetadataDNSRebindExecution:Runtime/NewBinaryExecutedPrivilegeEscalation:Runtime/DockerSocketAccessedPrivilegeEscalation:Runtime/RuncContainerEscapePrivilegeEscalation:Runtime/CGroupsReleaseAgentModifiedDefenseEvasion:Runtime/ProcessInjection.ProcDefenseEvasion:Runtime/ProcessInjection.PtraceDefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWriteExecution:Runtime/ReverseShellDefenseEvasion:Runtime/FilelessExecutionImpact:Runtime/CryptoMinerExecutedExecution:Runtime/NewLibraryLoadedPrivilegeEscalation:Runtime/ContainerMountsHostDirectoryPrivilegeEscalation:Runtime/UserfaultfdUsageExecution:Runtime/SuspiciousToolExecution:Runtime/SuspiciousCommandDefenseEvasion:Runtime/SuspiciousCommandDefenseEvasion:Runtime/PtraceAntiDebuggingExecution:Runtime/MaliciousFileExecutedExecution:Runtime/SuspiciousShellCreatedPrivilegeEscalation:Runtime/ElevationToRootDiscovery:Runtime/SuspiciousCommandPersistence:Runtime/SuspiciousCommandPrivilegeEscalation:Runtime/SuspiciousCommandDefenseEvasion:Runtime/KernelModuleLoaded
@@ -98,0 +99,2 @@ Runtime Monitoring finding types are based on the runtime logs collected from ho
+  * DefenseEvasion:Runtime/KernelModuleLoaded
+
@@ -997,0 +1000,19 @@ The GuardDuty runtime agent monitors events from multiple resources. To identify
+
+**Remediation recommendations:**
+
+If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](./guardduty-remediate-runtime-monitoring.html).
+
+## DefenseEvasion:Runtime/KernelModuleLoaded
+
+### A kernel module was loaded on an Amazon EC2 instance, indicating an attempt to gain kernel-level access.
+
+**Default severity: High**
+
+  * **Feature:** Runtime Monitoring
+
+
+
+
+This finding indicates that a kernel module was loaded on the listed EC2 instance. Since kernel modules have the highest system-level privileges (ring 0), this could indicate that a threat actor has gained kernel-level access. This level of access allows complete control over the system.
+
+The GuardDuty runtime agent monitors events from multiple resources. To identify the affected resource, view **Resource type** in the findings details in the GuardDuty console. When applicable, additional context, including process and process lineage information, is available in the finding for further investigation.