This detection rule identifies instances where sensitive files, specifically 'passwd' or 'shadow,' are copied from the temporary path ('/tmp/'). As these files contain critical user account information and password hashes in Linux systems, monitoring their movement is crucial for preventing unauthorized access and maintaining system integrity. The rule utilizes process creation events captured from logs to detect the command line parameters associated with file copying operations. Specifically, it looks for the command line containing both the keywords indicating the files being copied and the presence of the '/tmp/' directory. When a process execution meets all specified conditions (indicating both the command line usage of 'cp' and the suspicious paths and files), it generates a detection alert that can signify potential malicious activity related to credential access. The high severity level emphasizes the importance of this rule in safeguarding Linux environments from attacks targeting sensitive information.