From 3057a306c3a300e0dce11cbbc082852bd677cb55 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Tue, 15 Aug 2023 16:57:29 +0200
Subject: [PATCH] Update audit.rules

---
 audit.rules | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/audit.rules b/audit.rules
index 03ed184..be82c2d 100644
--- a/audit.rules
+++ b/audit.rules
@@ -417,6 +417,10 @@
 -w /bin/open -p x -k susp_shell
 -w /bin/rbash -p x -k susp_shell
 
+### https://gtfobins.github.io/gtfobins/wish/
+-w /bin/wish -p x -k susp_shell
+-w /usr/bin/wish -p x -k susp_shell
+
 # Web Server Actvity
 ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
 -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www