This rule detects Linux audit events linked to the runc init process where the process runs with effective user ID 0 while the login/user identity is non-root. Such a mismatch can indicate privilege escalation or credential separation abuse within container runtimes, where a process inherits elevated privileges but is associated with a non-root audit identity. The rule relies on auditd data exposed via the Auditd Manager integration and targets process events to capture executions of runc init with identity mismatches. It maps to MITRE ATT&CK technique T1611 (Escape to Host) under the Privilege Escalation tactic, reflecting a potential attempt to break out of container isolation or elevate privileges from within a container. The included query focuses on Linux hosts, and filters for process execution events where the process title is runc init and the user.effective.id is 0 while user.id is non-root. Investigation guidance emphasizes cross-checking container workloads, provenance of the runc invocation (orchestrator, image, namespace), and correlating with related events such as namespace changes, mounts, or suspicious image activity. Review audit fields (process, process.parent, user.*, and container/cgroup metadata) to confirm context. Consider whether the observed pattern aligns with legitimate container runtime behavior or security controls (e.g., init contexts, security profiles) before escalating. If abuse is confirmed, recommended actions include isolating the affected host or workload, rotating credentials exposed to the container, and rebuilding from a trusted image with forensic collection. Tune detection to reduce false positives by excluding known-good container configurations or specific image/process ancestry that produce legitimate UID/effective-UID alignments.