Detection: Linux Auditd Copy Fail Privilege Escalation

Updated Date: 2026-05-03 ID: dd16294f-44d2-40b4-a869-542c0b85113a Author: Raven Tait, Nasreddine Bencherchali, Splunk Type: TTP Product: Splunk Enterprise Security

Description

Detects the exploitation pattern associated with Copy Fail. Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel's authentication cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017. This search relies on the auditd configuration linked in the references section. If you are using a custom configuration, make sure the Key names are the same or adapt the search accordingly.

Search

 1`linux_auditd`
 2type=SYSCALL
 3key IN (
 4    "af_alg",
 5    "process_creation",
 6    "splice_user"
 7)
 8
 9| eval setuid_binary = case(
10    name IN (
11        "/usr/bin/chfn",
12        "/usr/bin/chsh",
13        "/usr/bin/fusermount3",
14        "/usr/bin/gpasswd",
15        "/usr/bin/mount",
16        "/usr/bin/newgrp",
17        "/usr/bin/passwd",
18        "/usr/bin/su",
19        "/usr/bin/sudo",
20        "/usr/bin/umount",
21        "/usr/lib/dbus-1.0/dbus-daemon-launch-helper",
22        "/usr/lib/landscape/apt-update",
23        "/usr/lib/openssh/ssh-keysign",
24        "/usr/lib/polkit-1/polkit-agent-helper-1"
25    ), name,
26    exe IN (
27        "/usr/bin/chfn",
28        "/usr/bin/chsh",
29        "/usr/bin/fusermount3",
30        "/usr/bin/gpasswd",
31        "/usr/bin/mount",
32        "/usr/bin/newgrp",
33        "/usr/bin/passwd",
34        "/usr/bin/su",
35        "/usr/bin/sudo",
36        "/usr/bin/umount",
37        "/usr/lib/dbus-1.0/dbus-daemon-launch-helper",
38        "/usr/lib/landscape/apt-update",
39        "/usr/lib/openssh/ssh-keysign",
40        "/usr/lib/polkit-1/polkit-agent-helper-1"
41    ), exe,
42    true(), null()
43)
44
45| eval indicator = case(
46    key="af_alg",        "AF_ALG socket",
47    key="splice_user",   "splice syscall",
48    isnotnull(setuid_binary), "setuid_exec:" . setuid_binary,
49    true(),              null()
50)
51
52| where isnotnull(indicator)
53
54| stats
55    dc(indicator) as unique_signals
56    max(_time) as lastTime
57    min(_time) as firstTime
58    values(comm) as comm
59    values(exe) as exe
60    values(name) as name
61    values(host) as dest
62    values(indicator) as signals
63    values(setuid_binary) as setuid_binaries
64    values(pid) as pid
65    values(ppid) as ppid
66    values(uid) as uid
67    by auid
68
69| where unique_signals >= 3
70
71| eval risk_score_factor = unique_signals * 25
72
73| sort - risk_score_factor
74
75| `security_content_ctime(firstTime)`
76
77| `security_content_ctime(lastTime)`
78
79| `linux_auditd_copy_fail_privilege_escalation_filter`

Data Source

Name	Platform	Sourcetype	Source
Linux Auditd Syscall	Linux	`'auditd'`	`'auditd'`

Macros Used

Name	Value
linux_auditd	`sourcetype="auditd"`
linux_auditd_copy_fail_privilege_escalation_filter	`search *`

linux_auditd_copy_fail_privilege_escalation_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation

Exploitation

DE.CM

CIS 10

CVE

CVE-2026-31431

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. Ensure specifically that AF_ALG socket creation and splice syscall is being monitored. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Linux Privilege Escalation

Risk Based Analytics (RBA)

Risk Message:

Privilege escalation attempt leveraging the Copy Fail vulnerability was observed on $dest$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	50	exe

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`auditd`	`auditd`
Integration	✅ Passing	Dataset	`auditd`	`auditd`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1