This detection rule is designed to monitor and alert on the execution of scripts located in directories that are commonly associated with suspicious activity, particularly the '/tmp' directory in Linux environments. The rule specifically targets commands executed via various shell programs (e.g., bash, sh, csh, fish) that include certain patterns indicating significant risk. It employs a set of criteria to qualify these executions as a potential threat. The conditions are met when any selected shell is executing a command that contains the '-c' flag and also involves a script from the '/tmp/' directory. As such, if all specified selections aligned with the criteria are observed, an alert is triggered. This type of detection is crucial for identifying potential attacks, especially from malware like GobRAT that could leverage temporary directories for malicious payload execution. The rule stands at a medium threat level, and while it may produce some false positives, these can generally be investigated further to confirm malicious intent.