{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/auditbeat/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","vulnerability","cve-2026-31431"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eCVE-2026-31431, dubbed Copy Fail, is a Linux kernel vulnerability that allows an attacker to write controlled bytes into the page cache of a readable file by abusing the \u003ccode\u003eauthencesn\u003c/code\u003e AEAD path through AF_ALG and \u003ccode\u003esplice()\u003c/code\u003e. Public exploitation targets setuid-root binaries such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e, then executes the corrupted in-memory copy to gain root. The vulnerability lies in the shared host page cache, making container-originated activity a possible node-compromise attempt. This exploit leverages the AF_ALG interface, which, while uncommon for unprivileged users, may be used in specific environments like kernel crypto testing or HSM integrations. Defenders should prioritize patching vulnerable kernels and restricting AF_ALG socket creation for untrusted workloads to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user initiates multiple AF_ALG socket creation events (auditd.data.syscall == \u0026ldquo;socket\u0026rdquo; and auditd.data.a0 == \u0026ldquo;26\u0026rdquo;) or splice operations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the vulnerability to corrupt the page cache of a setuid-root binary, such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the targeted setuid-root binary (e.g., \u003ccode\u003e/usr/bin/su\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the corrupted page cache, the executed binary behaves in an unexpected manner, leading to a privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe process transitions to a root UID, indicating successful privilege escalation.\u003c/li\u003e\n\u003cli\u003eA root shell is spawned, providing the attacker with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions requiring root privileges, such as creating persistence mechanisms or accessing sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially compromises the entire host or node, especially in containerized environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to privilege escalation, allowing attackers to gain root access on the affected Linux system. This can result in complete system compromise, data exfiltration, and the ability to install malware or create persistent backdoors. In containerized environments, a compromised container can lead to node compromise, affecting other containers running on the same host. The vulnerability affects systems running vulnerable kernel versions, potentially impacting a wide range of servers and workstations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Socket Creation Burst\u0026rdquo; to detect initial exploitation attempts based on AF_ALG socket activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Privilege Escalation\u0026rdquo; to detect privilege escalation attempts by monitoring executed processes with an effective user ID of root.\u003c/li\u003e\n\u003cli\u003eImmediately patch the kernel with the vendor fix for CVE-2026-31431 to eliminate the underlying vulnerability.\u003c/li\u003e\n\u003cli\u003eUntil patching is possible, consider blocking \u003ccode\u003ealgif_aead\u003c/code\u003e module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.\u003c/li\u003e\n\u003cli\u003eAdd audit rules for \u003ccode\u003esocket\u003c/code\u003e, \u003ccode\u003esplice\u003c/code\u003e, and \u003ccode\u003ebind\u003c/code\u003e events as described in the rule\u0026rsquo;s Setup instructions to ensure comprehensive monitoring of AF_ALG related syscalls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T16:24:01Z","date_published":"2026-04-30T16:24:01Z","id":"/briefs/2024-01-cve-2026-31431-exploitation/","summary":"This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.","title":"Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31431-exploitation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager","Docker","containerd","kubelet"],"_cs_severities":["medium"],"_cs_tags":["container","privilege-escalation","lateral-movement","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","Docker","Kubernetes"],"content_html":"\u003cp\u003eThis threat involves unauthorized processes connecting directly to container runtime sockets (Docker or Containerd) on Linux systems. This bypasses Kubernetes API server restrictions, potentially allowing attackers to create, execute, or manipulate containers without proper authorization or logging. The risk lies in attackers circumventing RBAC, admission webhooks, and pod security standards. The attack can start when a compromised process attempts to connect to the Docker or Containerd socket, potentially leading to privilege escalation and lateral movement within the containerized environment. This attack is significant because it undermines core security controls within container orchestration platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised process gains initial access to the host system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to connect to the container runtime socket (e.g., \u003ccode\u003e/var/run/docker.sock\u003c/code\u003e or \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe process bypasses the Kubernetes API server and associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the direct socket connection to create a new container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data or resources within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the compromised container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised container to move laterally to other containers or hosts within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Kubernetes security measures, create unauthorized containers, and potentially gain control over the entire cluster. The observed impact includes privilege escalation, lateral movement, and data exfiltration. The severity of this attack depends on the level of access granted to the compromised container and the sensitivity of the data and resources within the cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Auditd Manager to capture network and socket events, specifically monitoring for \u003ccode\u003econnect\u003c/code\u003e calls to Unix sockets as described in the \u003ca href=\"https://docs.elastic.co/integrations/auditd_manager\"\u003eAuditd Manager documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unusual Process Connecting to Docker or Containerd Socket\u0026rdquo; to detect suspicious processes connecting to container runtime sockets, tuning \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003euser.name\u003c/code\u003e for known legitimate processes.\u003c/li\u003e\n\u003cli\u003eMonitor file permissions on the socket paths (\u003ccode\u003e/var/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/var/run/containerd/containerd.sock\u003c/code\u003e, \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e) and restrict access to trusted groups only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-container-socket-connection/","summary":"An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.","title":"Unusual Process Connecting to Docker or Containerd Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-container-socket-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Auditbeat","Elastic Endgame","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","container-escape","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003eunshare\u003c/code\u003e command in Linux is a utility used to create new namespaces, providing isolation for processes. While crucial for containerization and security, attackers can misuse \u003ccode\u003eunshare\u003c/code\u003e to escape container boundaries or escalate privileges by manipulating system namespaces. This occurs by creating namespaces that bypass established security controls. This activity is often observed when threat actors attempt to gain unauthorized access to host resources or elevate their privileges within a compromised system. The focus of this detection is on identifying unusual \u003ccode\u003eunshare\u003c/code\u003e executions that deviate from legitimate system management activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, potentially through exploiting a vulnerability in a containerized application.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eunshare\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eunshare\u003c/code\u003e creates new namespaces, isolating the attacker\u0026rsquo;s process from the rest of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to mount sensitive directories from the host system into the new namespace.\u003c/li\u003e\n\u003cli\u003eUsing the newly gained access, the attacker attempts to modify system files, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e or \u003ccode\u003e/etc/shadow\u003c/code\u003e, to create new privileged accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to install persistent backdoors or malware on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via \u003ccode\u003eunshare\u003c/code\u003e can lead to privilege escalation, container escape, and unauthorized access to sensitive resources on the host system. The impact includes potential data breaches, system compromise, and lateral movement within the network. While the number of victims is unknown, the widespread use of containerization technologies makes this a significant threat, particularly for organizations relying on Linux-based container environments and cloud infrastructures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNamespace Manipulation Using Unshare\u003c/code\u003e to your SIEM to detect suspicious \u003ccode\u003eunshare\u003c/code\u003e command executions and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Auditbeat or Elastic Defend to collect the necessary process execution data to trigger the provided Sigma rule, as outlined in the rule\u0026rsquo;s \u003ccode\u003esetup\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rule\u0026rsquo;s exclusion list based on your environment\u0026rsquo;s legitimate use cases for \u003ccode\u003eunshare\u003c/code\u003e, as described in the \u0026ldquo;False positive analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for unusual \u003ccode\u003eunshare\u003c/code\u003e usage patterns to enhance detection capabilities and prevent future occurrences as recommended in the \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-unshare-namespace-manipulation/","summary":"The `unshare` command is used to create new namespaces in Linux, which can be exploited to break out of containers or elevate privileges by creating namespaces that bypass security controls.","title":"Suspicious Unshare Usage for Namespace Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-unshare-namespace-manipulation/"}],"language":"en","title":"CraftedSignal Threat Feed — Auditbeat","version":"https://jsonfeed.org/version/1.1"}