Update initial_access_execution_susp_react_serv_child.toml

Author: Samirbous

rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

@@ -80,7 +80,8 @@ query = '''
 process where event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
 process.name in ("sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe") and
 (
- process.working_directory : ("*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
+ ?process.working_directory : ("*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
+ 
  (process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
   process.parent.command_line : ("*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"))
  )