This rule aims to detect the unauthorized execution of shells spawned from processes located in the temporary directory (/tmp) on Linux systems. The detection logic focuses on parent processes whose image path starts with '/tmp/' and child process images that correspond to common shell executables such as bash, csh, dash, fish, ksh, sh, and zsh, indicating potential malicious behavior associated with malware like GobRAT. The occurrence of such executions can be indicative of an attacker attempting to establish a foothold or execute arbitrary commands within a compromised system, hence the high severity level assigned to this rule. The referenced sources include detailed reports and analyses of the GobRAT malware, providing context for the detection criteria and exemplifying real threats associated with these behaviors. Given that temporary directories are often utilized for staging and executing malicious payloads, this detection rule serves as a critical guard against shell-based attacks originating from non-standard locations.