Update execution_shell_evasion_linux_binary.toml

Samirbous · Samirbous · commit 0de9f192146a · 2025-12-11T13:43:58.000Z
diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml
@@ -181,7 +181,7 @@ process where host.os.type == "linux" and event.type == "start" and process.exec
   (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not
    process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox" and not (process.parent.args == "init" and
    process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs" and
-   not proces.parent.executable == "/bin/busybox") or
+   not process.parent.executable == "/bin/busybox") or
   (process.name == "env" and process.args_count == 2 and process.args : "*sh") or
   (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or
   (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or
