AWS Security ChangesHomeSearch

AWS guardduty documentation change

Service: guardduty · 2026-06-04 · Documentation medium

File: guardduty/latest/ug/findings-runtime-monitoring.md

Summary

Added three new finding types (Persistence/PrivilegeEscalation/DefenseEvasion:Runtime/SensitiveFileModified) with detailed documentation about detecting malicious file modifications.

Security assessment

This change introduces documentation for new security-focused detection capabilities. It describes how GuardDuty identifies malicious file modifications that could compromise systems (e.g., SSH key changes, sudoers file tampering), but doesn't indicate a specific patched vulnerability.

Diff

diff --git a/guardduty/latest/ug/findings-runtime-monitoring.md b/guardduty/latest/ug/findings-runtime-monitoring.md
index ce09b6ca4..47a786e2f 100644
--- a//guardduty/latest/ug/findings-runtime-monitoring.md
+++ b//guardduty/latest/ug/findings-runtime-monitoring.md
@@ -7 +7 @@
-CryptoCurrency:Runtime/BitcoinTool.BBackdoor:Runtime/C&CActivity.BUnauthorizedAccess:Runtime/TorRelayUnauthorizedAccess:Runtime/TorClientTrojan:Runtime/BlackholeTrafficTrojan:Runtime/DropPointCryptoCurrency:Runtime/BitcoinTool.B!DNSBackdoor:Runtime/C&CActivity.B!DNSTrojan:Runtime/BlackholeTraffic!DNSTrojan:Runtime/DropPoint!DNSTrojan:Runtime/DGADomainRequest.C!DNSTrojan:Runtime/DriveBySourceTraffic!DNSTrojan:Runtime/PhishingDomainRequest!DNSImpact:Runtime/AbusedDomainRequest.ReputationImpact:Runtime/BitcoinDomainRequest.ReputationImpact:Runtime/MaliciousDomainRequest.ReputationImpact:Runtime/SuspiciousDomainRequest.ReputationUnauthorizedAccess:Runtime/MetadataDNSRebindExecution:Runtime/NewBinaryExecutedPrivilegeEscalation:Runtime/DockerSocketAccessedPrivilegeEscalation:Runtime/RuncContainerEscapePrivilegeEscalation:Runtime/CGroupsReleaseAgentModifiedDefenseEvasion:Runtime/ProcessInjection.ProcDefenseEvasion:Runtime/ProcessInjection.PtraceDefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWriteExecution:Runtime/ReverseShellDefenseEvasion:Runtime/FilelessExecutionImpact:Runtime/CryptoMinerExecutedExecution:Runtime/NewLibraryLoadedPrivilegeEscalation:Runtime/ContainerMountsHostDirectoryPrivilegeEscalation:Runtime/UserfaultfdUsageExecution:Runtime/SuspiciousToolExecution:Runtime/SuspiciousCommandDefenseEvasion:Runtime/SuspiciousCommandDefenseEvasion:Runtime/PtraceAntiDebuggingExecution:Runtime/MaliciousFileExecutedExecution:Runtime/MaliciousFileExecuted.CustomExecution:Runtime/SuspiciousShellCreatedPrivilegeEscalation:Runtime/ElevationToRootDiscovery:Runtime/SuspiciousCommandPersistence:Runtime/SuspiciousCommandPrivilegeEscalation:Runtime/SuspiciousCommandDefenseEvasion:Runtime/KernelModuleLoaded
+CryptoCurrency:Runtime/BitcoinTool.BBackdoor:Runtime/C&CActivity.BUnauthorizedAccess:Runtime/TorRelayUnauthorizedAccess:Runtime/TorClientTrojan:Runtime/BlackholeTrafficTrojan:Runtime/DropPointCryptoCurrency:Runtime/BitcoinTool.B!DNSBackdoor:Runtime/C&CActivity.B!DNSTrojan:Runtime/BlackholeTraffic!DNSTrojan:Runtime/DropPoint!DNSTrojan:Runtime/DGADomainRequest.C!DNSTrojan:Runtime/DriveBySourceTraffic!DNSTrojan:Runtime/PhishingDomainRequest!DNSImpact:Runtime/AbusedDomainRequest.ReputationImpact:Runtime/BitcoinDomainRequest.ReputationImpact:Runtime/MaliciousDomainRequest.ReputationImpact:Runtime/SuspiciousDomainRequest.ReputationUnauthorizedAccess:Runtime/MetadataDNSRebindExecution:Runtime/NewBinaryExecutedPrivilegeEscalation:Runtime/DockerSocketAccessedPrivilegeEscalation:Runtime/RuncContainerEscapePrivilegeEscalation:Runtime/CGroupsReleaseAgentModifiedDefenseEvasion:Runtime/ProcessInjection.ProcDefenseEvasion:Runtime/ProcessInjection.PtraceDefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWriteExecution:Runtime/ReverseShellDefenseEvasion:Runtime/FilelessExecutionImpact:Runtime/CryptoMinerExecutedExecution:Runtime/NewLibraryLoadedPrivilegeEscalation:Runtime/ContainerMountsHostDirectoryPrivilegeEscalation:Runtime/UserfaultfdUsageExecution:Runtime/SuspiciousToolExecution:Runtime/SuspiciousCommandDefenseEvasion:Runtime/SuspiciousCommandDefenseEvasion:Runtime/PtraceAntiDebuggingExecution:Runtime/MaliciousFileExecutedExecution:Runtime/MaliciousFileExecuted.CustomExecution:Runtime/SuspiciousShellCreatedPrivilegeEscalation:Runtime/ElevationToRootDiscovery:Runtime/SuspiciousCommandPersistence:Runtime/SuspiciousCommandPrivilegeEscalation:Runtime/SuspiciousCommandDefenseEvasion:Runtime/KernelModuleLoadedPersistence:Runtime/SensitiveFileModifiedPrivilegeEscalation:Runtime/SensitiveFileModifiedDefenseEvasion:Runtime/SensitiveFileModified
@@ -104,0 +105,6 @@ Runtime Monitoring finding types are based on the runtime logs collected from ho
+  * Persistence:Runtime/SensitiveFileModified
+
+  * PrivilegeEscalation:Runtime/SensitiveFileModified
+
+  * DefenseEvasion:Runtime/SensitiveFileModified
+
@@ -1052,0 +1059,63 @@ If this activity is unexpected, your resource might have been compromised. For m
+## Persistence:Runtime/SensitiveFileModified
+
+### A security-sensitive system file has been modified on an Amazon EC2 instance or a container, potentially enabling an adversary to gain persistence.
+
+**Default severity: Medium**
+
+  * **Feature:** Runtime Monitoring
+
+
+
+
+This finding informs you that a security-sensitive system file on an Amazon EC2 instance or container has been modified, potentially enabling an adversary to maintain persistent execution rights on the system. This could include installation of new SSH key files, changes to user configuration files, modifications to password or shadow files, creation of scheduled tasks, manipulation of system startup scripts, or modification of executable or script files by web service processes in suspicious contexts. These modifications are indicators of compromise that could enable unauthorized persistence in your environment.
+
+GuardDuty monitors security-sensitive system files frequently targeted by adversaries for persistence. Since these files may also be modified during legitimate system administration and management, GuardDuty examines related runtime activity and context to generate this finding only when modifications are correlated with other suspicious activities.
+
+The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. The `service.runtimeDetails.context` field contains details about the suspicious file modification, including the file path and operation type.
+
+**Remediation recommendations:**
+
+If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](./guardduty-remediate-runtime-monitoring.html).
+
+## PrivilegeEscalation:Runtime/SensitiveFileModified
+
+### A security-sensitive system file has been modified on an Amazon EC2 instance or container, potentially enabling an adversary to elevate privileges.
+
+**Default severity: Medium**
+
+  * **Feature:** Runtime Monitoring
+
+
+
+
+This finding informs you that a security-sensitive system file has been modified on an Amazon EC2 instance or container, potentially enabling an adversary to elevate their privileges on the system. This could involve modifications to security-critical files such as sudoers configuration, PAM settings, or system authentication files. These modifications are indicators of compromise that could enable unauthorized privilege escalation, potentially resulting in unauthorized root access, weakened authentication mechanisms, or compromised security controls.
+
+GuardDuty monitors security-sensitive system files frequently targeted by adversaries for privilege escalation. Since these files may also be modified during legitimate system administration and management, GuardDuty examines related runtime activity and context to generate this finding only when modifications are correlated with other suspicious activities.
+
+The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. The `service.runtimeDetails.context` field contains details about the suspicious file modification, including the file path and operation type.
+
+**Remediation recommendations:**
+
+If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](./guardduty-remediate-runtime-monitoring.html).
+
+## DefenseEvasion:Runtime/SensitiveFileModified
+
+### A security-sensitive system file has been modified on an Amazon EC2 instance or a container, potentially enabling an adversary to evade detection.
+
+**Default severity: Medium**
+
+  * **Feature:** Runtime Monitoring
+
+
+
+
+This finding informs you that a security-sensitive system file on an Amazon EC2 instance or container has been modified, potentially enabling an adversary to evade detection on the system. This could involve modifications to system log files, audit configurations, command history files, or system logs. These modifications are indicators of compromise that could allow concealment of unauthorized activities, disruption of security monitoring, or removal of system activity evidence.
+
+GuardDuty monitors security-sensitive system files frequently targeted by adversaries for defense evasion. Since these files may also be modified during legitimate system administration and management, GuardDuty examines related runtime activity and context to generate this finding only when modifications are correlated with other suspicious activities.
+
+The GuardDuty runtime agent monitors events from multiple resource types. To identify the potentially compromised resource, view **Resource type** in the findings panel in the GuardDuty console. The `service.runtimeDetails.context` field contains details about the suspicious file modification, including the file path and operation type.
+
+**Remediation recommendations:**
+
+If this activity is unexpected, your resource might have been compromised. For more information, see [Remediating Runtime Monitoring findings](./guardduty-remediate-runtime-monitoring.html).
+