Detects a rapid, multi-stage sequence inside a container where a file is created in a transient writable location (such as /tmp, /dev/shm, /var/tmp, or similar) by a transfer utility or shell invocation, immediately executed, and then deleted shortly after. The rule correlates file creation events with a subsequent process start (often a shell executing a downloaded payload) and a final file deletion, all within a 10-second window. This pattern is a common defense-evasion technique used to minimize on-disk artifacts and hinder forensic review, potentially enabling credential theft or lateral movement. It leverages Defend for Containers data sources (process and file events) and maps to MITRE ATT&CK techniques including T1070.004 (File Deletion) for indicator removal, T1059 (Command and Scripting Interpreter) with subtechnique Unix Shell, and related execution/obfuscated-artifact behavior (e.g., T1204 when applicable). The detection focuses on Linux-based containers with integration to cloud_defend logs, combining creation, execution, and deletion events to flag suspicious runtime behavior within a tight time window.