diff --git a/malware-analysis_ref_and_memo.md b/malware-analysis_ref_and_memo.md
index 6e10aa1..f50d3fe 100644
--- a/malware-analysis_ref_and_memo.md
+++ b/malware-analysis_ref_and_memo.md
@@ -159,6 +159,14 @@ DFIR,マルウェア解析，OSINTに特化したUbuntuベースのディスト
  
 ### Threat hunting
 - **EQL**
+	- cheet sheet
+		```
+		- maldoc -> command,script
+		process where
+ 		parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe")
+		and process_name in ("powershell.exe", "cscript.exe",
+ 		"wscript.exe", "cmd.exe")
+		```
 
 ### .NET analysis
 - **[dnspy](https://github.com/0xd4d/dnSpy)<br>**