This detection rule identifies suspicious execution of binaries in potentially dubious locations using the 'nohup' command on Linux systems. The rule is designed to monitor for process creation events where the command line options include '/tmp/' as part of the command being executed with the 'nohup' utility. The presence of the nohup command in conjunction with a path in '/tmp/' suggests that the execution may be associated with malware or other unauthorized activity, as this directory is often used for temporary storage and execution of malicious scripts without user knowledge. Given its usage to prevent a command from being terminated when a user logs out, its utilization in a non-standard location raises significant security concerns. The execution logs sourced from process creation events serve as the primary data source for this detection rule, providing critical insight for security analysts in identifying potentially malicious activity in real-time. The rule leverages high-level threat indicators, which elevate its importance in the context of Linux security and system integrity monitoring.