| ID | Technique | Tactic |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
Detection: Linux PF_ALG Registration Outside of Boot Window
Description
The following analytic detects when the AF_ALG kernel crypto socket interface being loaded more than 300 seconds after system boot, which is a primary kernel-level indicator of Copy Fail (CVE-2026-31431) exploitation activity on Debian and Ubuntu family systems. The AF_ALG interface is required by the exploit to access the vulnerable authencesn crypto code path, and on systems where it is not auto-loaded at boot, its on-demand registration by an unprivileged process is a strong indicator of exploitation in progress.
Search
1sourcetype="linux_messages_syslog" "NET: Registered PF_ALG protocol family"
2
3| rex field=_raw "kernel: \[\s*(?<uptime_seconds>[\d\.]+)\]"
4
5| eval uptime_seconds=tonumber(uptime_seconds)
6
7| where uptime_seconds > 300
8
9| eval uptime_readable=tostring(round(uptime_seconds/60,1)) . " minutes after boot"
10
11| rename host as dest
12
13| table _time dest uptime_seconds uptime_readable _raw
14
15| sort -uptime_seconds
16
17| `linux_pf_alg_registration_outside_of_boot_window_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Linux Messages Syslog |  Linux |
'linux_messages_syslog' |
'/var/log/kern' |
Macros Used
| Name | Value |
|---|
| linux_pf_alg_registration_outside_of_boot_window_filter | search * |
linux_pf_alg_registration_outside_of_boot_window_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
CVE
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | No |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
To successfully implement this search, you need to have relevant kernel logs ingested with the Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833).
Known False Positives
AF_ALG can be legitimately loaded after boot by on-demand LUKS volume mounts, IPsec VPN clients establishing tunnels, or OpenSSL deployments with the afalg engine enabled, making this signal most reliable on dedicated server infrastructure where these operations are handled at boot time.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| AF_ALG instantiated after boot on $dest$ indicating possible privilege escalation. | dest | system | 50 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | /var/log/kern |
linux_messages_syslog |
| Integration | ✅ Passing | Dataset | /var/log/kern |
linux_messages_syslog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1