This rule detects the presence of tunneling and/or port forwarding tools running within a container environment, indicating potential threat actor activity such as command-and-control (C2) communications, data exfiltration, or lateral movement within a container network. The rule triggers when specific process actions are executed, particularly focusing on tools and commands commonly used for establishing tunnels or forwarding ports (e.g., SSH, socat, and chisel). The investigation guide outlines methods to confirm the legitimacy of such behavior by analyzing owning workloads, reviewing created command lines, enumerating active listeners, and examining container network telemetry to detect abnormal patterns. The false positive analysis notes scenarios where legitimate use of these tools by developers or embedded functionality in services may occur. In the case of detection, recommended responses include isolating affected containers, terminating malicious processes, reviewing exposed services, and strengthening security controls to prevent future incidents. The rule is designed to enhance security monitoring in cloud-native environments, specifically targeting container-based architectures.