Update rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

Co-authored-by: Ruben Groenewoud <[email protected]>

Author: Samirbous

rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

@@ -77,7 +77,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.type == "start" and (
+process where event.type == "start" and event.action != "fork" and (
     process.name in (
       "sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe", "java", "rundll32.exe", "wget.exe", "certutil.exe",
       "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "socat", "busybox", "mkfifo", "nohup", "setsid", "xterm"