Update linux_suspicious_react_or_next_js_child_process.yml

nasbench · nasbench · commit 8436bf446fbe · 2025-12-08T13:00:02.000+01:00
diff --git a/detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml b/detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml
@@ -50,6 +50,14 @@ search: |
           Processes.process_name IN ("curl", "wget")
           Processes.process = "*|*"
         )
+        OR (
+          Processes.process_name IN (
+            "bash",
+            "dash",
+            "sh"
+          )
+          NOT Processes.process = "*-c*"
+        )
         OR (
           Processes.process_name IN (
             "bash",
