Detects Kubernetes pod exec sessions whose decoded command line references cloud instance metadata endpoints or equivalent hostnames and paths. The rule targets attempts to read cloud instance metadata services (AWS IMDS, GCP computeMetadata, Azure IMDS) from within a pod, including encoded variants, which can expose short‑lived credentials or instance attributes to code running inside containers. It decodes the exec request URI, reconstructs the executed command, and flags the cloud surface being targeted (AWS_IMDS, GCP_METADATA, AZURE_IMDS) along with whether the activity looks like credential theft or lighter reconnaissance. The detection is anchored to MITRE ATT&CK mappings for credential access via cloud instance metadata APIs and container execution contexts. The alert populates fields Esql.cloud_target and Esql.is_credential_theft for downstream correlation. It is designed to surface high‑risk behaviors in multi‑tenant or regulated environments where containerized workloads should not be reaching metadata endpoints. The rule is complemented by triage guidance, potential investigation steps, false positives, and remediation recommendations, with a focus on rapid containment and credential hygiene when unauthorized access is detected.