This detection rule is designed to identify suspicious activities associated with the execution of binaries from temporary directories that are related to the RomCom remote access trojan (RAT). Threat actors often use unique methods to execute malicious code, one of which involves placing executable files with the `.tmp` extension in the Windows Temp directories, specifically under the `C:\Users\Public` path. The rule will trigger when a process originating from these Temp directories has a parent process that resides in the Public folder, suggesting malicious use of shared resources. The detection logic utilizes Sysmon event data, indexed by Splunk, to monitor for these specific file and process behaviors, including regex searches for both the temporary files and their parent process paths. This rule is particularly linked to the threat actor group known as UNC5812 and leverages techniques related to ingress tool transfer (T1105) and lateral movement (T1080).