dglauche
/ gist:5251ed353c8a15c71e9ac416f14231c8
Created
May 1, 2026 21:32
Elastic EQL Query for CVE-2026-31431 / CopyFail (https://github.com/badsectorlabs/copyfail-go)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.name with maxspan=10s | |
| [ process where auditd.log.syscall == 41 | |
| and auditd.log.UID != "root"] by process.pid with runs=10 | |
| [ process where auditd.log.syscall == 59 | |
| and auditd.log.UID != "root" | |
| and auditd.log.EUID == "root" | |
| and process.executable == "/usr/bin/su" ] by process.parent.pid |
dglauche
/ gist:7b243b30f03c545286a82675d69bff41
Created
May 1, 2026 20:54
SPL Query for CVE-2026-31431 / CopyFail (https://github.com/badsectorlabs/copyfail-go)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=linux* sourcetype IN ("auditd", "linux:auditd:enriched") TERM(SYSCALL) type=SYSCALL ((syscall=41 uid!="0" uid!="4294967295") OR (syscall=59 uid!="0" euid="0" exe="/usr/bin/su")) | |
| | bin _time span=1m | |
| | stats | |
| values(exe) AS exe | |
| values(ppid) AS ppid | |
| values(uid) AS uids | |
| values(UID) AS user | |
| count(eval(SYSCALL="socket")) AS af_alg_socket_count, | |
| count(eval(SYSCALL="execve")) AS priv_execve_count | |
| by _time, host, pid |
dglauche
/ gist:3d833b529edd80f3b7b9931e60b1f342
Created
May 1, 2026 12:06
Elastic ES|QL Query for CVE-2026-31431 / CopyFail
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM logs-* | |
| | WHERE auditd.log.proctitle RLIKE "/sbin/modprobe.*(net-pf-38|algif-aead|crypto-authencesn).*" | |
| | EVAL | |
| is_net_pf_38 = CASE(auditd.log.proctitle RLIKE "/sbin/modprobe.*net-pf-38.*", 1, 0), | |
| is_algif_aead = CASE(auditd.log.proctitle RLIKE "/sbin/modprobe.*algif-aead.*", 1, 0), | |
| is_crypto_authencesn = CASE(auditd.log.proctitle RLIKE "/sbin/modprobe.*crypto-authencesn.*", 1, 0) | |
| | STATS | |
| net_pf_38 = SUM(is_net_pf_38), | |
| algif_aead = SUM(is_algif_aead), | |
| crypto_authencesn = SUM(is_crypto_authencesn) |
dglauche
/ gist:748bef24e5bc35789c8906333804f567
Last active
May 4, 2026 07:42
SPL Query for CVE-2026-31431 / CopyFail
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=linux* sourcetype IN ("auditd", "linux:auditd:enriched") TERM(proctitle) | |
| | rex "proctitle=(?P<proctitle>.*)" | |
| | eval proctitle_clean = urldecode(replace(proctitle,"([0-9A-F]{2})","%\1")) | |
| | search proctitle_clean="*/sbin/modprobe*" AND proctitle_clean IN ("*net-pf-38*", "*algif-aead*", "*crypto-authencesn*") | |
| | eval | |
| is_net_pf_38 = if(match(proctitle_clean, ".*net-pf-38.*"), 1, 0), | |
| is_algif_aead = if(match(proctitle_clean, ".*algif-aead.*"), 1, 0), | |
| is_crypto_authencesn = if(match(proctitle_clean, ".*crypto-authencesn.*"), 1, 0) | |
| | bin _time span=1m | |
| | stats sum(is_net_pf_38) as net_pf_38, sum(is_algif_aead) AS algif_aead, sum(is_crypto_authencesn) AS crypto_authencesn by host, _time |