Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments that indicate container lifecycle manipulation, in-container command execution, image operations, or host filesystem mounting. These tools speak directly to the container runtime socket, bypassing Kubernetes API server, RBAC, admission webhooks, pod security standards, and Kubernetes audit logging. Attackers with host-level access may use these utilities to create privileged ghost containers, inspect or modify containers, steal tokens and secrets, pull attacker-controlled images, or obscure activity from standard Kubernetes controls. The rule triggers on Linux hosts when a process starts with one of the runtimes (ctr, crictl, nerdctl) and the arguments suggest tasks, exec, run with privileged-related flags, or mount operations that affect host paths, as well as scenarios where the executable path or argv references the container runtime socket or Kubernetes artifacts. It excludes common legitimate parent processes (e.g., kubelet, containerd, systemd, init) to reduce false positives. The rule relies on full argv capture from Elastic Defend and/or Auditd Manager to enable deeper correlation with file, network, and Kubernetes activity and to surface suspicious container manipulation that would otherwise evade Kubernetes-native monitoring. Aimed at detecting techniques that enable container escape, host compromise, and covert host-to-container activity, it supports rapid containment and investigation.