The Linux PF_ALG Registration Outside of Boot Window analytic detects when the AF_ALG kernel crypto socket interface is registered more than 300 seconds after system boot. This is a known behavior exploited by CVE-2026-31431 (Copy-Fail) to access vulnerable crypto code paths in the Linux kernel on Debian/Ubuntu derivatives. In environments where AF_ALG is not auto-loaded at boot, an unprivileged process that registers PF_ALG on-demand can indicate exploitation in progress. The detection relies on Linux kernel messages (sourcetype linux_messages_syslog) to identify the NET: Registered PF_ALG protocol family event and extracts the kernel uptime from the log. If uptime > 300 seconds, the rule flags a potential privilege escalation attempt occurring post-boot. The finding ties to MITRE ATT&CK technique T1068 (Privilege Escalation) and CVE-2026-31431, helping analysts correlate with related crash, log, and kernel-modification activity. The rule is aimed at endpoint assets, particularly Linux-based hosts (Debian/Ubuntu family). It is most effective on servers where boot-time configuration is expected to be stable; legitimate late AF_ALG loading (for example due to on-demand LUKS, IPsec, or OpenSSL afalg usage) can cause false positives, so baselining and contextual correlation are recommended. Remediation involves applying patched kernel versions, enabling auto-loading of required crypto interfaces at boot where safe, and restricting unprivileged module loading. See references for Copy-Fail background and implementation notes.