Use p0_cmd instead of p0.cmdline

2025-01-18 11:30:45 +00:00 · 2023-03-17 06:37:18 -04:00 · 2023-03-17 06:37:18 -04:00 · 2bfd736d37
commit 2bfd736d37
parent 7ee331b399
1 changed files with 1 additions and 1 deletions
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -107,7 +107,7 @@ WHERE
    OR p0_cmd LIKE '%iptables -P % ACCEPT%'
    OR p0_cmd LIKE '%iptables -F%'
    OR p0_cmd LIKE '%chattr -i%'
-    OR p0.cmdline LIKE '%dd if=/dev/%'
+    OR p0_cmd LIKE '%dd if=/dev/%'
    OR p0_cmd LIKE '%cat /dev/null >%'
    OR p0_cmd LIKE '%truncate -s0 %'
    OR (