This rule detects a high-risk post-exploitation pattern associated with Copy Fail (CVE-2026-31431) exploitation that abuses the Linux kernel AF_ALG interface and related splice/bound-socket activity to prepare a privileged in-memory operation, followed by execution of a setuid-root binary. The correlation looks for a burst of non-root events involving AF_ALG sockets, splice system calls, or bound-socket activity within a 60-second window, followed by a process execution where the effective user becomes root while the real login user remains non-root. The detection requires multiple (runs=10) qualifying events across the same process and host before the final execution event, which helps reduce noise from legitimate AF_ALG usage. The execution event is considered suspicious when it transitions to root (user.effective.id == 0) from a non-root login (user.id != 0), or when a shell-like interpreter launches with command-line arguments often used for ad-hoc or scripted privilege escalation. The rule maps to MITRE ATT&CK techniques T1068 (Exploitation for Privilege Escalation) and T1548.001 (Setuid and Setgid), corresponding to privilege escalation via setuid-root binaries such as su, sudo, passwd, mount, newgrp, gpasswd, or chfn. The detected sequence aligns with post-exploitation chains where AF_ALG/splice primitives are leveraged to influence the page cache, enabling execution of a corrupted in-memory copy of a setuid-root binary without modifying on-disk files, complicating traditional file-integrity checks. Investigations should correlate host, user, and process context, examine process.executable and command_line, inspect related audit events, and examine container boundaries where applicable. If validated as malicious, isolate the host, terminate suspicious processes, review credentials and tokens accessible to the involved user, and apply kernel-level patches or mitigations (e.g., blocking AF_ALG usage or restricting socket-related primitives via seccomp) until patched. The rule is designed for environments integrating Auditbeat or Auditd Manager to capture process and network syscall activity on Linux endpoints. The associated threat guidance includes steps to assess, quarantine, and remediation, along with references to CVE-2026-31431 and related kernel/crypto documentation.