This detection rule identifies attempts by adversaries to enumerate tools within a Linux container using the 'which' command. The 'which' command returns the path of executables associated with commands given as arguments, which can aid in reconnaissance by listing networking, control, and scanning utilities present in the container. Malicious actors typically use this information for actions such as manipulating the cluster, conducting network reconnaissance, or downloading payloads while avoiding detection. This rule monitors for the interactive use of the 'which' command during the specified time frame and checks correlations within Kubernetes audits to determine the legitimacy of the access. The rule specifies a risk score of 21 and can yield false positives, especially when legitimate users execute the 'which' command for debugging or troubleshooting. Investigation steps include correlating audit logs, reviewing process trees, inspecting outbound connections, and confirming interactive access aligns with approved maintenance tasks. Remediation strategies involve terminating unauthorized shells, monitoring for suspicious activities, and securing configurations against unauthorized access.