diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml
index 9ff8357d330..bfb7916cda2 100644
--- a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml
+++ b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2025/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,7 @@ type = "eql"
 query = '''
 process where event.type == "start" and event.action in ("exec", "executed", "start", "process_started") and (
     process.name in (
-      "sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe", "java", "rundll32.exe", "wget.exe", "certutil.exe",
+      "sh", "bash", "zsh", "dash", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe", "java", "rundll32.exe", "wget.exe", "certutil.exe",
       "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "socat", "busybox", "mkfifo", "nohup", "setsid", "xterm"
     ) or
     (process.name : "python*" and process.args : "-c" and process.args : (