Detects Kubernetes pod exec sessions by reconstructing the executed command from Kubernetes audit logs and matching against patterns that indicate access to sensitive host/in-cluster paths and credential-related material (e.g., mounted service accounts, kubelet/config areas, host credential stores, private keys, keystores, kubeconfig, and environment reads). Excludes benign resolv.conf reads to reduce false positives. Classifies the type of access into Esql.access_type buckets to speed triage without affecting detection predicates. Maps detections to MITRE ATT&CK techniques T1552 (Unsecured Credentials) with subtechniques T1552.001 (Credentials In Files) and T1552.007 (Container API), and T1609 (Container Administration Command) under Credential Access and Execution. The rule has a high severity and risk_score (73) and is intended to catch interactive or scripted access that often precedes lateral movement or credential theft, while guiding responders through triage and remediation steps such as session termination, credential rotation, and tightening RBAC/admission controls.