diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0070144c..1e624612 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2126,7 +2126,8 @@
   condition: >
     spawned_process and container and
     ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or
-     (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec"))
+     (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e " 
+                              or proc.args contains "-c " or proc.args contains "--lua-exec"))
     )
   output: >
     Netcat runs inside container that allows remote code execution (user=%user.name
@@ -2163,7 +2164,7 @@
   tags: [network, process, mitre_discovery, mitre_exfiltration]
 
 - list: grep_binaries
-  items: [grep, egre, fgrep]
+  items: [grep, egrep, fgrep]
 
 - macro: grep_commands
   condition: (proc.name in (grep_binaries))