This rule detects Linux process executions that invoke nsenter with arguments targeting a PID namespace, a technique commonly used to attach from a container (or session) to the host init namespace and operate with host context. It leverages Auditd Manager telemetry (process execution events) to identify nsenter invocations and filters for nsenter usage combined with target PID namespace flags (e.g., --target or -t) while excluding known benign patterns (e.g., certain net namespace, snap-related conditions). The detection is mapped to MITRE ATT&CK T1611 (Escape to Host) under the Privilege Escalation tactic (TA0004). A high risk score (73) reflects the potential for container breakout and host compromise. The rule emphasizes triage: examine the full nsenter command (target PID, namespaces involved), parent process, and the session origin (container, SSH, automation agent) to distinguish legitimate debugging from malicious activity. Recommended response involves isolating the host, revoking credentials, checking for persistence, and re-imaging if integrity cannot be confirmed. The setup guidance recommends deploying the Auditd Manager integration on Linux endpoints to collect process execution telemetry (ensuring execve events populate process.name and process.args). References include MITRE T1611 and nsenter documentation.