This detection rule aims to identify unusual interactive commands executed within Kubernetes containers that directly call the Kubernetes API using atypical utilities. Such interactions can indicate potential malicious activity including lateral movement and enumeration attempts within a Kubernetes cluster. An adversary may execute these API calls to gain unauthorized access to sensitive resources or manipulate resources within the cluster. The rule leverages data from Defend for Containers and Kubernetes audit logs, monitoring for sequences of direct interactive requests alongside Kubernetes API activity related to pivotal resources like pods, secrets, and service accounts, which may suggest hands-on-keyboard discovery or lateral movement activities. The rule also lays out investigative steps to discern legitimate usage from potentially malicious activities, includes methods for assessing false positives, and emphasizes appropriate response measures to mitigate risks if a threat is confirmed.