mirror of
https://github.com/nganhkhoa/malware.git
synced 2024-06-10 21:32:07 +07:00
Update detecting_ph_process.md
This commit is contained in:
parent
babf0fe8ba
commit
7538cc3398
@ -139,7 +139,7 @@ PS> eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon" $eql | Conv
|
|||||||
```
|
```
|
||||||
eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon" "process where pid=7356"
|
eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon" "process where pid=7356"
|
||||||
```
|
```
|
||||||
![](https://github.com/mether049/malware/blob/master/Trickbot/img/Identification%20of%20Hollowed%20out%20processes/eql1.PNG)
|
![](https://github.com/mether049/malware/blob/master/Trickbot/img/Identification%20of%20Hollowed%20out%20processes/eql2.PNG?raw=true)
|
||||||
|
|
||||||
```
|
```
|
||||||
eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon" "process where pid=11228"
|
eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon" "process where pid=11228"
|
||||||
|
Loading…
Reference in New Issue
Block a user