Detects kubeletctl execution on Linux hosts by monitoring process start events for kubeletctl and related kubelet API discovery/interaction commands. Kubeletctl can be used to enumerate the Kubelet API, discover nodes/pods, and perform actions such as exec, attach, or port-forward, which may enable discovery or lateral movement within Kubernetes environments. The rule uses EQL against process and audit logs from auditd/endpoint sources to trigger when a Linux host starts kubeletctl or passes relevant arguments that target Kubelet endpoints (ports 10250/10255). It matches: process.name == kubeletctl or process.args in (run, exec, scan, pods, runningpods, attach, portForward, cri, pid2pod) with server URLs matching *:10250* or *:10255*. It maps to MITRE ATT&CK techniques T1613 (Container and Resource Discovery), T1059 (Command and Scripting Interpreter) with subtechnique T1059.004 Unix Shell, and T1609 (Container Administration Command). The rule uses indices auditbeat-*, logs-auditd_manager.auditd-*, and logs-endpoint.events.process* with event fields such as host.os.type, event.type, event.action, process.name, and process.args. It has a risk_score of 47 and severity medium. False positives include legitimate admin or incident-response activities. Recommended response includes restricting Kubelet API network access, hardening Kubelet authentication/authorization, and rotating exposed Kubernetes credentials. The rule includes an investigation guide and references.