This rule flags Linux process executions where the command line arguments reference high-value Kubernetes service-account material, kubeconfig, node PKI paths, or common cloud and SSH credential files, particularly when these reads occur via standard file-reading utilities or from ephemeral directories. It detects potential credential access or exfiltration by matching process invocations (e.g., cat, head, sed, awk, grep, curl, base64, etc.) in combination with process executable paths located in writable/temporary areas (such as /tmp, /var/tmp, /dev/shm, /home, /run/user/*). The rule requires telemetry that captures process events with command-line arguments (via Elastic Defend and/or Auditd Manager). When a match is found, it raises a high-severity alert and guides triage toward validating whether the observed activity is expected (for example, a CI job, bootstrap script, or kubelet reading a mounted secret). It also supports investigation by correlating with Kubernetes/audit telemetry for secret reads, token minting, or API activity using harvested material. For remediation, it recommends rotating affected credentials (service account tokens, kubeconfig, cloud tokens) and reviewing RBAC/secret-mount policies for the workload. The rule maps to MITRE ATT&CK Credential Access techniques (T1552 Unsecured Credentials; T1552.001 Credentials In Files) and T1528 (Steal Application Access Token). Data-ready context includes endpoint-level process visibility on Linux hosts with access to critical credential files, enabling in-cluster, hybrid, or multi-tenant threat detection scenarios.