This rule is designed to detect the execution of the kubeletctl command within a Linux container environment. Kubeletctl is a potent command-line tool used to access the Kubelet API directly, allowing for efficient interaction with Kubernetes resources. While kubeletctl can be utilized for legitimate purposes like troubleshooting, it poses a significant security risk as its misuse may indicate an attempt at lateral movement or enumeration of resources within the Kubernetes cluster. The rule specifically targets scenarios where kubeletctl is executed interactively, which is a common pattern for attackers aiming to exploit Kubernetes vulnerabilities. The detection query checks for the execution of the kubeletctl process, identifying any associated arguments that may indicate potential malicious intent, such as commands for scanning or accessing other pods. It scrutinizes process activities for interactivity and assesses access to Kubelet ports, aiming to determine if the activity aligns with known malicious patterns as outlined in MITRE ATT&CK techniques related to command and scripting execution and container discovery. The rule's impact focuses on the risk of unauthorized access, data disclosure, or service disruption that can result from kubeletctl exploitation. Thus, it emphasizes the importance of timely investigations to discern between legitimate use and potential security breaches.