Suspicious Download and Execute Pattern via Curl/Wget (a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa)
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.