This detection rule targets the misuse of the cron utility on Linux systems, specifically focusing on tasks that are scheduled for the execution of malicious code. The rule is designed to identify crontab jobs that reference files located in the '/tmp/' directory, which is often used by attackers to execute scripts or binaries stealthily. By monitoring the command line parameters of processes that use the crontab image, the detection mechanism looks for any command lines that include references to '/tmp/'. The intent is to uncover potential persistence mechanisms deployed by threat actors that leverage the cron scheduler for launching malicious activities either once or on a recurring basis. The rule aids in recognizing unauthorized scheduling of tasks, particularly when they deviate from normal administrative usage patterns.