Detects suspicious usage of container runtime CLI tools (ctr, crictl, nerdctl) invoked on Linux hosts to interact with the container runtime in ways that bypass Kubernetes control planes. The rule flags process start events where the process is one of ctr/crictl/nerdctl and the arguments indicate container creation, execution inside a container, image manipulation, or host filesystem mounting (e.g., --privileged, --mount, --net-host, --pid-host). It also catches cases where the runtime is driven via containerd.socket or k8s.io paths, which can reveal attempts to operate at the host/container boundary even when not directly invoking the CLI. A guard excludes common legitimate parent processes (kubelet, containerd, systemd, init) to reduce noise. The detection leverages Linux process data from Elastic Defend for Containers (logs-cloud_defend.process*), and maps to MITRE techniques related to container administration (T1609) and host Escape/Privilege Escalation (T1611). It complements Kubernetes RBAC/audit controls by catching host-level actions that leave Kubernetes-level monitoring blind. The rule is designed to detect attacker footholds that facilitate privileged ghost containers, pod/container token or secret access, image imports from attacker-controlled sources, and evidence destruction, while acknowledging potential false positives in automated node bootstrap and break-glass sessions. The included investigation guidance emphasizes argv/working directory review, trust assessment of referenced images, binding scenarios, and correlating with file, network, and Kubernetes audit activity. Remediation guidance focuses on isolating affected nodes, revoking session credentials, and hunting for unauthorized workloads or image imports.Overall, this rule strengthens host-level visibility into container runtime abuse on Linux hosts.