Update execution_unusual_kthreadd_execution.toml

Aegrah · web-flow · commit e2da0b35e261 · 2025-04-30T14:36:41.000+02:00
diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml
@@ -60,8 +60,8 @@ host.os.type:linux and event.category:process and event.type:start and event.act
   process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish or whoami or curl or wget or id or nohup or setsid) 
   ) and
   process.command_line:(
-    *cron* or */etc/rc.local* or */dev/tcp/* or */etc/init.d* or */etc/ld.so* or */etc/sudoers* or *base64 * or */etc/profile* or
-    */dev/shm/* or */etc/ssh* or */home/*/.ssh/* or */root/.ssh* or *~/.ssh/* or *xxd * or */etc/shadow* or */tmp/* or
+    *cron* or */etc/rc.local* or */dev/tcp/* or */etc/init.d* or */etc/ld.so* or */etc/sudoers* or *base64* or */etc/profile* or
+    */dev/shm/* or */etc/ssh* or */home/*/.ssh/* or */root/.ssh* or *~/.ssh/* or *xxd* or */etc/shadow* or */tmp/* or
     */var/tmp/* or */var/www/* or */var/log/* or */var/run/*
   ) and not (
     process.name:(dpkg or true or flock or uname or mount or umount or cifs.upcall or touch or gdbus or grep or getopt) or
