Copy fail writes to page cache without touching disk, so inotify, AIDE, and Tripwire are all blind to it. I put together a layered detection approach: auditd rules for AF_ALG socket creation (family 38). an eBPF monitor that correlates the full exploit chain per-PID, a page-cache vs. on-disk divergence checker for setuid binaries and /etc/passwd. plus Sigma and YARA rules. Everything is stdlib Python or shell, no exotic dependencies outside bcc for the eBPF piece.