Amazon GuardDuty adds sensitive file modification threat detections
Amazon GuardDuty Runtime Monitoring now detects when sensitive files are modified on EC2, EKS, and ECS workloads. These new threat detections, including Persistence:Runtime/SensitiveFileModified, help identify post-compromise attacker activities like persistence and privilege escalation. Designed for security teams and architects, this feature monitors specific file operations to catch obfuscated techniques and reduces false positives with correlation-based analysis. The detections are available to all customers with Runtime Monitoring enabled, with a 30-day free trial for new users.
- →New sensitive file modification threat detections in GuardDuty Runtime Monitoring
- →Enhanced detection of post-compromise attacker activities
- →Reduced false positives with correlation-based analysis
Features (2) ›
- New sensitive file modification threat detections in GuardDuty Runtime Monitoring
GuardDuty Runtime Monitoring now includes three threat detections: Persistence:Runtime/SensitiveFileModified, PrivilegeEscalation:Runtime/SensitiveFileModified, and DefenseEvasion:Runtime/SensitiveFileModified. These detections alert security teams when sensitive files are modified on EC2 instances and container workloads running on EKS or ECS.
- Enhanced detection of post-compromise attacker activities
These findings help identify post-compromise attacker activities by monitoring critical system files like configuration files, authentication settings, and system logs. The detections are designed to catch threats even when attackers use obfuscated techniques that bypass traditional command-line monitoring.
Enhancements (1) ›
- Reduced false positives with correlation-based analysis
Correlation-based analysis distinguishes malicious behavior from legitimate administrative operations, helping to reduce false positives. Actionable intelligence is provided with MITRE ATT&CK® tactics mapping and remediation recommendations.
https://aws.amazon.com/about-aws/whats-new/2026/07/amazon-guardduty-sfm/