Linux

A critical vulnerability (CVE-2026-53488) exists in the containerd CRI plugin where image configuration `LABEL` instructions are propagated to containers without validation, allowing an attacker to inject and execute arbitrary commands with host-root privileges on the underlying host when a maliciously crafted container image is pulled and processed by specific plugins.

A high-severity vulnerability (CVE-2026-53489) in containerd's CRI plugin allows an unprivileged attacker to read arbitrary files on the host system by crafting a malicious checkpoint with a symlink that `containerd` follows during `container.log` restoration, enabling data exfiltration via `kubectl logs`.

A high-severity vulnerability (CVE-2026-53492) in containerd's CRI implementation allows an attacker with pod creation permissions to smuggle arbitrary Container Device Interface (CDI) annotations during container restoration, bypassing Kubernetes resource allocation and enabling unauthorized device and host mount injection into the restored container.

The `network-ai` package, versions prior to 5.9.1, is vulnerable to a critical command injection flaw (CVE-2026-54051) where the `ShellExecutor` component fails to properly neutralize shell metacharacters when processing commands, allowing an attacker to achieve arbitrary command execution as the orchestrator process by bypassing allowlist controls.

A vulnerability in the vim text editor allows a remote, unauthenticated attacker to perform a Denial of Service attack by exploiting a weakness to disrupt the service without requiring prior authentication.

A remote, anonymous attacker can exploit a vulnerability in OpenBSD to disclose sensitive information, potentially leading to unauthorized data exposure.

An attacker can achieve unauthenticated remote code execution (RCE) in Crawl4AI Docker deployments by injecting malicious Chromium launch arguments, such as `--utility-cmd-prefix` and `--no-zygote`, into the `browser_config.extra_args` field of the API request, allowing for arbitrary command execution as the container's runtime user.

The Atomic Arch campaign compromises orphaned Arch User Repository (AUR) packages, modifying their PKGBUILDs to install malicious npm/Bun dependencies like 'atomic-lockfile,' which deploy a Linux payload with credential harvesting, eBPF-based stealth, anti-debugging, and data exfiltration capabilities, impacting approximately 1,500 packages.

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

This rule detects unusual child process executions originating from web server processes on Linux systems, potentially indicating attackers exploiting web servers for persistence.

Identifies suspicious command executions via a web server on Linux systems, potentially indicating a vulnerability exploitation or remote shell access for persistence.

This rule identifies unusual destination port network activity originating from a web server process on Linux systems, indicating potential web shell activity or unauthorized communication from a web server process to external systems by detecting egress connections from web server processes to non-standard ports while excluding common local IP ranges.

This rule detects potential command execution from a web server parent process on a Linux host, indicating a possible web shell attack where adversaries exploit web server vulnerabilities to execute arbitrary commands.

This rule detects unusual processes spawned from a web server parent process on Linux systems, potentially indicating an attacker attempting to establish persistence, execute malicious commands, or establish command and control channels.

The rule detects attempts to clear the kernel ring buffer on Linux systems using the `dmesg` command with options like `-c`, `-C`, `--clear`, or `--read-clear` to evade detection.

This rule detects Linux process executions that reference /etc/kubernetes/manifests in process arguments, which may indicate tampering with static pod manifests for persistence or privilege escalation in Kubernetes environments.

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

A local attacker can exploit a vulnerability in Red Hat Enterprise Linux (crun) to escalate their privileges, potentially gaining root access.

The CIFSwitch vulnerability in the Linux kernel allows an unprivileged user to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges by loading a malicious NSS module.

This rule detects segfault messages in kernel logs originating from sensitive processes on Linux systems, indicating potential exploitation attempts that could lead to arbitrary code execution or credential access.

A local privilege escalation vulnerability in the Linux Kernel has a published exploit on Exploit-DB, potentially allowing unprivileged users to gain elevated privileges on vulnerable systems.

A Splunk correlation search identifies potential Linux persistence and privilege escalation activities based on risk scores and event counts from various Linux-related data sources, highlighting behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system.

This rule detects potential privilege escalation attempts on Linux systems by monitoring the use of `unshare` with user namespace-related arguments followed by a UID change to root, indicating a transition to root and a potential local privilege escalation.

A local attacker can exploit multiple vulnerabilities in the Linux Kernel to escalate privileges, cause a denial-of-service condition, disclose sensitive information, or perform an unspecified attack.

A command injection vulnerability (CVE-2026-44604) exists in the `rpmuncompress` utility of RPM; when extracting specially crafted ZIP, 7z, or GEM archives, an attacker can inject shell commands via a malicious top-level folder name, leading to arbitrary code execution as the user running the extraction.

A local privilege escalation vulnerability exists in Realtek rtl819x Jungle SDK due to missing capability checks on ioctl commands, allowing unprivileged users to gain root privileges on affected Linux systems.

A local attacker can exploit vulnerabilities in Ivanti Secure Access Client to manipulate files or escalate privileges, potentially gaining elevated access to the system.

A vulnerability in the Debian LTS Linux kernel allows attackers to perform privilege escalation and breach data confidentiality, specifically affecting Debian 11 bullseye versions prior to 5.10.251-5 and 6.1.172-1~deb11u1; tracked as CVE-2026-46333.

This rule detects passwordless sudo probing activity on Linux systems, which can indicate an attacker attempting to enumerate allowed commands and potential privilege escalation.

CVE-2026-31635, dubbed DirtyDecrypt, is a local privilege escalation vulnerability in the Linux kernel's rxrpc subsystem (rxgk component), allowing an unprivileged user to corrupt page cache and achieve arbitrary file writes, leading to root access on kernels 6.10 to 6.13 with CONFIG_RXGK enabled.

A remote, authenticated attacker can exploit a vulnerability in Podman to manipulate files on the host system.

An authenticated or anonymous attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux regarding Valkey to manipulate files or cause a denial-of-service condition.

A vulnerability in the cloud-init component of Red Hat Enterprise Linux allows an attacker from an adjacent network to gain administrator privileges.

This detection rule identifies suspicious executions of SUID binaries that may be used for privilege escalation on Linux systems, focusing on scenarios where the real user and parent user are not root, combined with minimal argument counts and suspicious parent contexts.

This rule detects potential privilege escalation under the root effective user when the real user and parent user are not root, indicative of the execution of binaries with SUID or SGID bits set, often exploited by adversaries to gain elevated access on Linux systems.

This rule detects Linux process executions that access Kubernetes static pod manifest files, potentially indicating malicious tampering for persistence or privilege escalation.

Detects execution of curl or wget from processes running inside OCI/runc-backed containers, potentially indicating ingress tool transfer or data exfiltration after a container breakout.

This rule detects the creation of files in world-writable directories on Linux systems by an unusual process, which is a common defense evasion tactic for potential lateral movement or malicious payload staging.

A vulnerability exists in claude-code-cache-fix versions 3.5.0 and 3.5.1 where the `tools/quota-statusline.sh` script interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal, allowing local code execution via Python triple-quote injection (CVE-2026-45136).

Uniget is vulnerable to command injection because the `check` field is loaded directly from untrusted JSON metadata without validation, allowing an attacker to execute arbitrary shell commands on the victim's system when performing common uniget operations.

The systeminformation library is vulnerable to command injection on Linux systems due to unsanitized NetworkManager connection profile names, allowing attackers to execute arbitrary shell commands via a crafted profile when `networkInterfaces()` is called.

A new local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem, named "Fragnesia," allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption.

This brief outlines how Linux cgroups, a kernel feature for resource management, can be repurposed to provide valuable telemetry for detecting malicious processes, particularly in systemd, Docker, and Kubernetes environments, aiding in investigations of server compromises.

A local attacker can exploit multiple vulnerabilities in the Linux Kernel to escalate privileges or manipulate files.

A remote, anonymous attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux to execute arbitrary code or cause a denial-of-service condition.

Bird-lg-go is vulnerable to a denial-of-service (DoS) attack (CVE-2026-45047) where an unauthenticated remote attacker can cause an out-of-memory error by streaming an extremely large JSON payload to the apiHandler, leading to termination of the bird-lg-go daemon.

Ubuntu released security notices between May 4 and 10, 2026, addressing vulnerabilities in the Linux kernel affecting Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS, and 25.10, requiring timely updates.

A remote, anonymous attacker can exploit a vulnerability in Red Hat Enterprise Linux (openEXR) to execute arbitrary program code.

JDownloader's website was compromised on May 6-7, 2026, with download links repointed to malicious installers deploying a Remote Access Trojan on Windows and harmful shell commands on Linux. Users who installed from affected links should treat the system as fully compromised and perform a clean OS reinstall.

CyberPanel version 2.1 is vulnerable to command execution (CVE-2021-47949) where an authenticated attacker can exploit symlink attacks via the filemanager controller endpoint by manipulating the completeStartingPath parameter in POST requests, leading to sensitive file access and arbitrary shell command execution.

The Dirty Frag vulnerability (CVE-2026-43284 and CVE-2026-43500) is a Linux kernel local privilege escalation that allows an unprivileged local user to gain root privileges by exploiting flaws in the networking subsystem to overwrite protected file contents in the page cache.

A pre-authentication remote code execution vulnerability exists in xrdp versions prior to 0.10.5, triggered by a buffer overflow in the xrdp_wm_parse_domain_information function when parsing a specially crafted domain name, allowing attackers to overwrite the return address and execute arbitrary code.

A local attacker can exploit a vulnerability in Red Hat Hardened Images RPMs to execute arbitrary code or cause a denial of service.

A remote, anonymous attacker can exploit a SQL injection vulnerability in ProFTPD, potentially leading to unauthorized data access or modification.

A local attacker can exploit vulnerabilities in X.Org X11 and Xwayland to perform unspecified attacks, including memory corruption, information disclosure, or a denial-of-service condition.

A local attacker can exploit multiple vulnerabilities in BusyBox to execute arbitrary code or gain elevated privileges on Linux systems.

A vulnerability in BusyBox allows a remote attacker on an adjacent network to execute arbitrary code or cause a denial-of-service condition.

A remote, anonymous attacker can exploit a vulnerability in Red Hat Enterprise Linux (python-wheel) to escalate privileges or execute arbitrary code.

This rule detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255) enabling discovery and lateral movement in Kubernetes environments.

A vulnerability exists in WHM, cPanel, and WP Squared, Linux-based web hosting control panels, which could allow for remote code execution by bypassing authentication and gaining administrative access.

A remote, anonymous attacker can exploit a vulnerability in the xz utility to achieve arbitrary code execution on affected systems.

The rule detects a potential chroot container escape via mount, which involves a user within a container mounting the host's root file system and using chroot to escape the containerized environment, indicating a privilege escalation attempt.

Detects suspicious chroot execution within a Linux container context, potentially indicating a container escape attempt by pivoting to an alternate root filesystem.

The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.

This rule identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories, indicating potential privilege escalation.

This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.

A local privilege escalation vulnerability, dubbed 'Copy Fail' (CVE-2026-31431), affects Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions by exploiting a logic bug in the authencesn cryptographic template.

A local attacker can exploit a vulnerability in CUPS to execute arbitrary program code with administrator privileges on Linux and macOS systems.

Multiple vulnerabilities in sudo allow a local attacker to bypass security precautions and escalate privileges to root.

A local attacker can exploit a vulnerability in PackageKit to escalate their privileges on a Linux system.

Multiple vulnerabilities in Red Hat Enterprise Linux's LibRaw component allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

An anonymous remote attacker can exploit a SQL injection vulnerability in ProFTPD.

Attackers can achieve persistence and privilege escalation on Linux systems by creating or modifying files in the /etc/sudoers.d/ directory to grant unauthorized users or groups sudo privileges.

A heap buffer overflow vulnerability exists in NTFS-3G versions 2022.10.3 before 2026.2.25 that allows for heap memory corruption by processing a crafted NTFS image with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.

NestJS versions before 11.1.19 are susceptible to an uncontrolled recursion vulnerability (CVE-2026-40879) where sending many small JSON messages in a single TCP frame triggers a call stack overflow, resulting in a denial-of-service condition.

A local attacker can exploit a vulnerability in util-linux to perform a denial of service attack and disclose sensitive information.

Remote, anonymous attackers can exploit vulnerabilities in Red Hat Hardened Images RPMs to bypass security measures, cause denial of service, disclose sensitive information, or potentially execute code.

A compromised SecureDrop server can achieve code execution on the SecureDrop client's virtual machine by exploiting improper filename validation during gzip archive extraction, allowing for the overwriting of critical files.

xrdp versions through 0.10.5 are vulnerable to a privilege escalation flaw (CVE-2026-32107) where improper privilege management during the privilege drop process could allow an authenticated local attacker to escalate privileges to root and execute arbitrary code.

rsync versions 3.0.1 through 3.4.1 are vulnerable to a use-after-free vulnerability in the receive_xattr function during a qsort call, triggered by an untrusted length value when the -X/--xattrs option is used, potentially leading to code execution.

Radare2 before commit 9236f44, when configured on UNIX without SSL, is vulnerable to command injection via a PDB name passed to rabin2 -PP, potentially allowing arbitrary code execution.

Zarf is vulnerable to path traversal due to insufficient sanitization of the Metadata.Name field in package manifests when using the `zarf package inspect sbom` or `zarf package inspect documentation` commands, potentially leading to arbitrary file write.

A denial-of-service vulnerability exists in jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 due to the use of a hardcoded seed in MurmurHash3, enabling attackers to craft JSON objects that trigger hash collisions and cause excessive CPU consumption.

A flaw in Nix package manager allows arbitrary file overwrites via symlink following during fixed-output derivation registration, potentially leading to root privilege escalation on multi-user Linux systems.

parseusbs before 1.9 is vulnerable to OS command injection (CVE-2026-40030) due to improper sanitization of the volume listing path argument, potentially allowing arbitrary command execution via crafted volume paths.

Podman Desktop versions prior to 1.26.2 expose an unauthenticated HTTP server, allowing remote attackers to trigger denial-of-service conditions by exhausting resources and extract sensitive information through verbose error responses.

A remote, anonymous attacker can exploit a vulnerability in OpenSSH GSSAPI and Ubuntu Linux to trigger undefined behavior or a potential denial-of-service attack.

A path traversal vulnerability exists in prompts.chat prior to commit 0f8d4c3, allowing attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames.

A critical OS command injection vulnerability (CVE-2026-5485) in the Amazon Athena ODBC driver before 2.0.5.1 for Linux allows local attackers to execute arbitrary code via specially crafted connection parameters.

This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes, potentially leading to unauthorized access or data exfiltration.

BPFDoor, an evasive Linux backdoor, is detected via the unusual access of process ID and lock files in the /var/run/ directory, indicating potential malicious activity.

A local attacker can exploit a vulnerability in libxslt on Red Hat Enterprise Linux to cause a denial of service or execute arbitrary program code.

The trivy-action GitHub Action, a widely used vulnerability scanner in CI/CD pipelines, was compromised via git tag repointing to inject a multi-stage credential stealer, affecting 76 of 77 release tags.

A vulnerability in versions prior to 0.2.86 of the act project allows remote attackers to create arbitrary caches, potentially leading to remote code execution within Docker containers by poisoning predicted cache keys.

Multiple vulnerabilities in NGINX Plus and NGINX can be exploited by an attacker to perform a denial of service attack, manipulate data, bypass security measures, and potentially execute arbitrary program code, leading to significant impact.

A vulnerability in Incus versions prior to 6.23.0 allows for arbitrary read and write access as root on the host server by exploiting a missing chroot isolation in the pongo2 template engine.

A remote, authenticated attacker can exploit a vulnerability in Red Hat Enterprise Linux (specifically 389-ds-base) to achieve arbitrary code execution and potentially cause a denial of service.

The 'Out-of-Cancel' vulnerability class stems from flaws in Linux workqueue cancellation APIs, potentially leading to exploitable conditions within the kernel.

A local attacker can exploit a vulnerability in GNU libc to execute arbitrary program code on Linux systems.

An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface of a device, leading to full compromise and root access on the underlying Linux-based OS, as described in CVE-2026-3587.

A local attacker can exploit a vulnerability in libxslt in Red Hat Enterprise Linux to execute arbitrary program code or manipulate files.

A guest VM issuing a Xenstore command with the node path '/local/domain/' can crash xenstored (CVE-2026-23555), or, if NDEBUG is defined, cause denial of service by consuming all CPU resources.

The open-source Inner Warden project is a security agent leveraging eBPF for kernel-level monitoring and autonomous response actions like IP blocking and process termination, aiming to create a distributed security mesh.

An unprivileged user may exploit CVE-2026-3888 to escalate privileges to root by creating malicious files in the /tmp/.snap directory.

Persistnux is a bash-based tool designed to identify known Linux persistence mechanisms used by attackers to maintain access to compromised systems, generating detailed reports for DFIR analysis.

Qualys discovered critical vulnerabilities in AppArmor, enabling local privilege escalation to root on vulnerable Linux systems.

The 'env' command is used to invoke a shell on Linux systems, potentially bypassing restricted environments or escalating privileges to execute arbitrary commands.

The rule detects a sequence of events indicating a potential privilege escalation attempt on Linux systems where a non-root user performs namespace activity using unshare, followed by the execution of a root process shortly after.

This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.

The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.

The execution of a Linux shell process from a Java JAR application following an incoming network connection may indicate reverse shell activity.

Adversaries attempt to clear Linux system logs using utilities like rm, rmdir, shred, and unlink to conceal malicious activity and evade detection.

Detection of runc init child processes with root effective user and non-root login user ID, indicating potential container privilege escalation.

The rule detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting, potentially leading to container escape and privilege escalation.

A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user on Linux systems, suggesting possible privileged access activity through command lines, indicating potential obfuscation or unauthorized use of privileged access.

This threat brief covers the detection of suspicious processes modifying sensitive files on Linux systems, potentially indicating malicious attempts to persist, escalate privileges, or disrupt system operations.

This rule detects nsenter executions that target a PID with a namespace target flag, a common pattern used to attach to the host init namespace from a container or session and run with host context, potentially escalating privileges.

An attacker may create new cron files in cron directories to establish persistence on a Linux system, potentially leading to privilege escalation and arbitrary code execution.

The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.

Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting, potentially leading to privileged container creation and unauthorized access to sensitive data.

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.

This analytic detects unexpected shutdowns of the Linux auditd daemon, potentially indicating attempts to disable security monitoring and evade detection by attackers.

This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.

pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.

A local privilege escalation vulnerability exists in the Linux Kernel versions ~3.14+ through 6.18-rc5 due to a use-after-free in the proc_readdir_de() function, where a concurrent traversal can dereference a freed entry's fields during network device unregistration, leading to privilege escalation via modprobe_path overwrite.

This brief details a Splunk search that identifies suspicious command-line activity modifying iptables firewall settings on Linux systems, potentially indicating Cyclops Blink malware activity allowing C2 communication by opening specific TCP ports.

Detection of 'pkill' command execution on Linux systems, a technique used by threat actors to disable security defenses or terminate critical processes, potentially leading to data corruption or destruction.

Detection of abnormal Linux audit daemon (auditd) termination via DAEMON_ABORT events, indicating potential auditing subsystem failure due to resource exhaustion, corruption, or malicious interference.

This rule detects Linux process executions that access sensitive Kubernetes, cloud, and SSH credential files via common utilities, potentially indicating credential theft.

This brief focuses on detecting the execution of Python one-liners utilizing base64 decoding functions on Linux systems, a technique employed by malicious actors to obfuscate and execute payloads, thereby evading traditional security measures.

Attackers may use chmod to modify file permissions within sensitive Linux directories such as /tmp/, /etc/, and /opt/ to maintain persistence, escalate privileges, or disrupt system operations.

authd 0.6.0 contains a bug that leads to an incorrect primary group ID being set to the user's UID, potentially leading to local privilege escalation and incorrect file ownership, fixed in authd >= 0.6.4.

Apko versions prior to 1.2.7 are vulnerable to package substitution due to not verifying downloaded apk packages against the APKINDEX checksum, potentially allowing an attacker who can substitute download responses to install arbitrary packages into built images.

Detects the execution of QEMU with the -nographic flag and an image file on Windows systems, a technique used for persistence and initial access by installing a rogue Linux virtual machine.

The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.

This rule detects suspicious sequences where a non-root user launches a high-risk parent process and then executes a common privilege elevation helper gaining an effective UID of 0 while the real UID remains non-root, potentially indicating misuse of SUID/SGID helpers or privilege escalation attempts.

Attackers may use compression utilities like zip, tar, and gzip on Linux systems to collect and archive sensitive files containing credentials and system configurations for credential access and data exfiltration.

The `unshare` command is used to create new namespaces in Linux, which can be exploited to break out of containers or elevate privileges by creating namespaces that bypass security controls.

The rule identifies suspicious usage of unshare to manipulate system namespaces, which can be utilized to escalate privileges or escape container security boundaries.

This rule detects the execution of kubeletctl, a command-line tool used to interact with the Kubelet API, on Linux hosts, potentially leading to discovery and lateral movement within Kubernetes environments.

The rule detects nsenter executions from inside a monitored Linux container that include a namespace target flag (-t or --target), which can be abused to escape container isolation.

Detection of Linux audit daemon (auditd) re-initialization events, which can indicate attempts to re-enable audit logging after evasion or restarts with modified rule sets.