This threat detection rule monitors for a specific pattern indicative of potentially malicious activity on Linux systems, characterized by the rapid creation, execution, and deletion of files within temporary and often abused directories. The rule identifies sequences of events: a file is created (using common tools such as 'curl' or 'wget'), it is executed, and then deleted shortly after—all occurring in sensitive locations like '/tmp' or '/dev/shm', which are commonly targeted by malware to minimize traces of their actions. The rule aims to detect tactics that align with malware behaviors that execute code and then erase their footprints to evade detection. Analysts are advised to conduct thorough investigations whenever such patterns are flagged, considering the possibility of both legitimate and malicious triggers. The suggested investigation steps focus on examining file and process details, user actions, and correlating alerts to determine the legitimacy of the detected behavior, alongside efforts to mitigate false positives from benign usage of shared directories.