Detects Linux process executions where the command/interpreter referenced in the process arguments touches /etc/kubernetes/manifests. This directory stores static pod manifests read by the kubelet; tampering or staging manifests via editors, downloaders, kubectl, redirection utilities (tee, dd), or scripting runtimes can indicate persistence or privileged workload placement. The rule matches processes that invoke common shells or editors (bash, sh, dash, zsh, cat, vi, vim, nano, etc.) and have arguments referencing /etc/kubernetes/manifests, while excluding manifests that are known to be part of a healthy cluster (etcd*, kube-apiserver*, kube-scheduler*, kube-controller-manager*). It relies on process telemetry (process.args/process.executable) and supports detection when an attacker attempts to read or modify manifests on a Kubernetes node. This rule pairs with file-telemetry detections for direct manifest creation or modification on container workloads, enabling correlation with Kubernetes and node telemetry. The MITRE mapping highlights Persistence (T1053.007 Container Orchestration Job) and Create or Modify System Process (T1543.005 Container Service) as potential techniques, aligning with attempts to load or modify privileged pod configurations. Triage focuses on full command lines, session interactivity, host role (Kubernetes node vs admin jump host), and subsequent activity on the same host. Remediation involves restoring manifests from known-good sources, isolating the host, and validating cluster integrity per incident policy.