This rule, authored by Elastic, is designed to detect potential kubectl masquerading activity on Linux systems by monitoring process events where the executed process name does not match 'kubectl', yet the command line includes kubectl-related commands. Such behavior may indicate an adversarial attempt to mimic legitimate kubectl operations to bypass detection mechanisms. The rule captures evasion techniques that may occur when an adversary renames the kubectl binary or places it in unconventional directories. Defined through EQL (Event Query Language), it focuses on events categorized as 'start' for process executions with specific command line patterns indicative of kubectl usage. With a low severity score of 21, the rule aims to enhance detection capabilities in environments employing Elastic Defend, particularly within Kubernetes and container-based infrastructures.