From 2bfd736d371883ea9904bae3dca4c21888be31c1 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 17 Mar 2023 06:37:18 -0400
Subject: [PATCH] Use p0_cmd instead of p0.cmdline

---
 detection/execution/exotic-command-events-linux.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql
index c712c58..e58a45e 100644
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@@ -107,7 +107,7 @@ WHERE
     OR p0_cmd LIKE '%iptables -P % ACCEPT%'
     OR p0_cmd LIKE '%iptables -F%'
     OR p0_cmd LIKE '%chattr -i%'
-    OR p0.cmdline LIKE '%dd if=/dev/%'
+    OR p0_cmd LIKE '%dd if=/dev/%'
     OR p0_cmd LIKE '%cat /dev/null >%'
     OR p0_cmd LIKE '%truncate -s0 %'
     OR (