diff --git a/audit.rules b/audit.rules
index 03ed184..5d2edbe 100644
--- a/audit.rules
+++ b/audit.rules
@@ -407,7 +407,11 @@
 -w /usr/bin/pkexec -p x -k pkexec
 
 ## Suspicious shells
+
+### https://gtfobins.github.io/gtfobins/ash/
 -w /bin/ash -p x -k susp_shell
+-w /usr/bin/ash -p x -k susp_shell
+
 -w /bin/csh -p x -k susp_shell
 -w /bin/fish -p x -k susp_shell
 -w /bin/tcsh -p x -k susp_shell