This detection rule identifies suspicious usage of the `curl` command-line tool with SOCKS proxy options when invoked from an atypical parent process on Linux systems. Attackers may leverage `curl` to establish SOCKS proxy connections to bypass security mechanisms and exfiltrate sensitive data or facilitate communications with Command and Control (C2) servers. The rule applies to processes initiated with specific characteristics that suggest potential misuse. This includes executions where the immediate parent process is from unusual paths (like /tmp or /var/tmp) or a shell environment. The rule focuses on identifying specific arguments associated with SOCKS proxies alongside environment variables that may indicate proxy configurations. It operates in real-time with a low-risk score of 21, using Elastic's EQL language, and requires data from the Elastic Defend integration setup.