diff --git a/audit.rules b/audit.rules
index 03ed184..be82c2d 100644
--- a/audit.rules
+++ b/audit.rules
@@ -417,6 +417,10 @@
 -w /bin/open -p x -k susp_shell
 -w /bin/rbash -p x -k susp_shell
 
+### https://gtfobins.github.io/gtfobins/wish/
+-w /bin/wish -p x -k susp_shell
+-w /usr/bin/wish -p x -k susp_shell
+
 # Web Server Actvity
 ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
 -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www