Authencesn Crypto Module Load via Modprobe - Copy-Fail Indicator
Detects kernel auto-loading of the authencesn crypto module via modprobe This occurs when user-space code creates an AF_ALG socket and binds the authencesn AEAD cipher (e.g., authencesn(hmac(sha256),cbc(aes))). The kernel invokes modprobe to load the crypto module. This is a key indicator of CVE-2026-31431 (Copy Fail) exploitation, where the authencesn cipher is used to trigger a buffer overflow in the AF_ALG AEAD splice path, corrupting the page cache of SUID binaries for local privilege escalation.
On Linux systems, modprobe is typically a symlink to kmod, so the process image will be /usr/bin/kmod (or /bin/kmod) with 'modprobe' appearing in the command line.
Sigma rule (View on GitHub)
1title: Authencesn Crypto Module Load via Modprobe - Copy-Fail Indicator
2id: 474b415a-d917-4f3b-8c62-9e1a0d5f7b48
3status: experimental
4description: |
5 Detects kernel auto-loading of the authencesn crypto module via modprobe
6 This occurs when user-space code creates an AF_ALG socket and binds the authencesn AEAD cipher
7 (e.g., authencesn(hmac(sha256),cbc(aes))). The kernel invokes modprobe to load the
8 crypto module. This is a key indicator of CVE-2026-31431 (Copy Fail) exploitation,
9 where the authencesn cipher is used to trigger a buffer overflow in the AF_ALG AEAD splice path,
10 corrupting the page cache of SUID binaries for local privilege escalation.
11
12 On Linux systems, modprobe is typically a symlink to kmod, so the process image will be /usr/bin/kmod (or /bin/kmod)
13 with 'modprobe' appearing in the command line.
14references:
15 - https://www.linkedin.com/posts/stamatis-chatzimangou_copyfail-kql-activity-7455582422215114752-S4RW/
16 - https://www.splunk.com/en_us/blog/security/detecting-copy-fail-cve-2026-31431-phenomenal-power-itty-bitty-script.html
17 - https://nvd.nist.gov/vuln/detail/CVE-2026-31431
18 - https://man7.org/linux/man-pages/man8/modprobe.8.html
19 - https://www.kernel.org/doc/html/latest/crypto/userspace-if.html
20author: Gene Kazimiarovich
21date: 2026-05-09
22tags:
23 - attack.privilege-escalation
24 - attack.t1068
25 - attack.persistence
26 - attack.t1547.006
27 - detection.emerging-threats
28 - cve.2026-31431
29logsource:
30 category: process_creation
31 product: linux
32detection:
33 selection_kmod:
34 Image|endswith: '/kmod'
35 CommandLine|contains|all:
36 - 'modprobe'
37 - 'crypto-authencesn('
38 selection_modprobe:
39 Image|endswith: '/modprobe'
40 CommandLine|contains: 'crypto-authencesn('
41 condition: 1 of selection_*
42falsepositives:
43 - Legitimate manual loading of the authencesn module by administrators for kernel crypto benchmarking or IPsec configuration (near-zero in production)
44level: high
References
Related rules
- Exploiting SetupComplete.cmd CVE-2019-1378
- Process Explorer Driver Creation By Non-Sysinternals Binary
- Process Monitor Driver Creation By Non-Sysinternals Binary
- APT27 - Emissary Panda Activity
- Atomic MacOS Stealer - Persistence Indicators