Last reviewed:
T1068 is the post-foothold privilege-escalation move that turns a normal account into a system or root account by exploiting a software bug, often a Linux kernel issue like the AF_ALG socket primitive abuse documented in CVE-2026-31431. DCV maps cloud-relevant priv-esc signals through Azure Defender and Azure Policy: missing patches, insecure container configurations, kernel vulnerabilities surfaced by the cloud vulnerability scanner. CloudSigma ships endpoint-tagged rules from CVE inputs so a fresh exploit disclosure produces a Sigma rule before the typical SOC has triaged the advisory.
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.
Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD). Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.
Platforms: Containers, Linux, macOS, Windows.
DCV maps 17 detections across 3 cloud providers to T1068. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Azure Policy | Azure | 6 | 0.84 |
| AWS Config Rules | AWS | 5 | 0.65 |
| Microsoft Defender for Cloud | Azure | 4 | 0.86 |
| AWS Security Hub | AWS | 1 | 0.75 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma ships 3 production-ready Sigma rules that detect T1068 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
title: AF_ALG Socket Creation by Non-Crypto Tooling (CVE-2026-31431 Copy Fail)
id: cd627699-056b-48e4-97c5-641fa7a2d832
status: stable
description: >
Detects user-space creation of an AF_ALG socket by a process that
is not part of the small set of legitimate kernel-crypto-API
consumers (libkcapi, cryptsetup, strongSwan/charon, ipsec). AF_ALG
sockets expose the kernel crypto subsystem to user space; the
family is rarely used outside the listed tools, and the
CVE-2026-31431 "Copy Fail" exploit chain begins with
socket(AF_ALG, SOCK_SEQPACKET, 0) followed by bind() of an
algif_aead transform such as authencesn(...) and a splice() that
triggers the 4-byte arbitrary page-cache write against readable
files (typically setuid binaries). Catching the unusual AF_ALG
socket creation upstream of bind/splice gives the earliest
auditd-visible signal of the exploit path. Pair this with
`-a always,exit -F arch=b64 -S socket -F a0=38 -k af_alg` in
audit.rules so SYSCALL records carry the AF_ALG family value.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-31431
- https://www.kernel.org/doc/html/latest/crypto/userspace-if.html
- https://attack.mitre.org/techniques/T1068/
author: CloudSigma
date: 2026-05-03
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
product: linux
service: auditd
detection:
selection_af_alg_socket:
type: SYSCALL
syscall: socket
a0: '38'
filter_known_crypto_tools:
exe|endswith:
- /cryptsetup
- /veritysetup
- /integritysetup
- /kcapi-enc
- /kcapi-dgst
- /kcapi-hasher
- /kcapi-rng
- /kcapi-rsa-test
- /charon
- /charon-systemd
- /swanctl
- /ipsec
- /strongswan
- /chronyd
condition: selection_af_alg_socket and not filter_known_crypto_tools
falsepositives:
- Bespoke applications that use the kernel crypto API directly via
AF_ALG (rare). Baseline by exe path and parent process; if a new
legitimate consumer appears, extend filter_known_crypto_tools.
- Distribution-specific crypto helpers not present in the filter
list. Verify the exe path matches the distro package and add it
to the filter rather than suppressing the alert.
level: high
T1068 is the post-foothold privilege-escalation move that turns a normal account into a system or root account by exploiting a software bug, often a Linux kernel issue like the AF_ALG socket primitive abuse documented in CVE-2026-31431. DCV maps cloud-relevant priv-esc signals through Azure Defender and Azure Policy: missing patches, insecure container configurations, kernel vulnerabilities surfaced by the cloud vulnerability scanner. CloudSigma ships endpoint-tagged rules from CVE inputs so a fresh exploit disclosure produces a Sigma rule before the typical SOC has triaged the advisory.
DCV maps 17 cloud-native detections to T1068 across 3 cloud providers, drawn from AWS Config Rules, AWS Security Hub, Azure Policy, GCP Chronicle and Microsoft Defender for Cloud.
T1068 is part of MITRE ATT&CK TA0004 Privilege Escalation: How adversaries gain higher privileges than they were given.
CloudSigma ships 4 validated Sigma rules for T1068 across Linux auditd, Windows Security and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.