This detection rule identifies the creation of Kubernetes Roles or ClusterRoles that provide permissions to execute commands inside pods via the pods/exec subresource. Such permissions can facilitate lateral movement and help attackers maintain unauthorized access within the Kubernetes cluster. The creation of roles that include pods/exec can indicate that an attacker is attempting to establish backdoor access, allowing them to execute arbitrary commands. It is critical to monitor RBAC (Role-Based Access Control) events, especially when elevated permissions are granted that could lead to escalating privileges or executing malicious activities across the cluster. This rule outlines a series of investigative steps to ascertain the legitimacy of the role creation and to detect any misuse of the granted permissions.