This detection rule identifies suspicious creation of pods or containers that execute commands commonly associated with persistence or privilege escalation within a Linux environment. It leverages various data sources such as Auditbeat, Elastic Defend, Crowdstrike, and SentinelOne to analyze process creation events. The rule specifically looks for instances where `kubectl` or container runtime commands (like `docker` or `nerdctl`) are used to run shell processes that could indicate an attacker's effort to maintain persistent access or escalate their privileges. The detection query contains multiple checks related to process characteristics, command-line arguments, and command patterns often exploited by adversaries for malicious purposes. By monitoring these events, the detection rule aids in early identification of potential container-based threats.