Product
high
advisory
Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket
2 rules 2 TTPs 1 CVEThis rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.
Auditbeat +1
privilege-escalation
linux
vulnerability
cve-2026-31431
2r
2t
1c
medium
advisory
Unusual Process Connecting to Docker or Containerd Socket
2 rules 3 TTPsAn unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.
Auditbeat +4
container
privilege-escalation
lateral-movement
linux
2r
3t
medium
advisory
Suspicious Unshare Usage for Namespace Manipulation
2 rules 2 TTPsThe `unshare` command is used to create new namespaces in Linux, which can be exploited to break out of containers or elevate privileges by creating namespaces that bypass security controls.
Elastic Defend +3
privilege-escalation
container-escape
linux
2r
2t