From fe72dbf62ffacfdd4c3917a5acee97cde4b4ac0f Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 22 Jun 2022 07:04:30 +0200
Subject: [PATCH] Update proc_creation_lnx_susp_history_delete.yml

---
 .../proc_creation_lnx_susp_history_delete.yml                 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
index 1b720a2d6..e0035cf2d 100644
--- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml
@@ -13,7 +13,9 @@ detection:
   selection:
     Image|endswith: '/rm'
   selection_history:
-    - CommandLine|contains: '/.bash_history'
+    - CommandLine|contains: 
+      - '/.bash_history'
+      - '/.zsh_history
     - CommandLine|endswith: '_history'
   condition: all of selection*
 falsepositives: