This detection rule identifies instances where files are copied or moved to the '/tmp' directory in *nix environments, which is a commonly exploited location due to its world-writeable permissions. Adversaries often utilize '/tmp' to facilitate their operations while attempting to remain undetected, making it a point of interest in threat detection. The rule leverages Splunk logic to filter for commands that involve copying (cp) or moving (mv) files to this directory, focusing on relevant process execution. This functionality is crucial for conditions where legitimate applications may also use '/tmp', thereby necessitating allowlisting to mitigate potential false positives. The detection aligns with known threat actor behaviors, including those attributed to UNC5221 and UTA0178, and references several relevant atomic tests for validation purposes. Users are encouraged to review their environments and adjust their detection strategies accordingly.