Update defense_evasion_deletion_of_bash_command_line_history.toml (el…

…astic#3614) * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update defense_evasion_deletion_of_bash_command_line_history.toml --------- Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Mika Ayenson <[email protected]>
shashank-elastic · Jul 5, 2024 · 1d57e0c · 1d57e0c
1 parent 64f0e25
commit 1d57e0c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/05/04"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/05"
 
 [rule]
 author = ["Elastic"]
@@ -47,7 +47,7 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte
     (process.args : "truncate" and process.args : "-s0"))
     and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
                         ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
-  (process.name : "history" and process.args : "-c") or
+  (process.args : "history" and process.args : "-c") or
   (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
   (process.args : "unset" and process.args : "HISTFILE") or
   (process.args : "set" and process.args : "history" and process.args : "+o")