From de2ff988eee7a0dfddc9ba5bb6d5617acd32114a Mon Sep 17 00:00:00 2001
From: mether049 <cstt17009@g.nihon-u.ac.jp>
Date: Fri, 20 Mar 2020 14:59:22 +0900
Subject: [PATCH] Update malware-analysis_ref_and_memo.md

---
 malware-analysis_ref_and_memo.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/malware-analysis_ref_and_memo.md b/malware-analysis_ref_and_memo.md
index 6e10aa1..f50d3fe 100644
--- a/malware-analysis_ref_and_memo.md
+++ b/malware-analysis_ref_and_memo.md
@@ -159,6 +159,14 @@ DFIR,マルウェア解析，OSINTに特化したUbuntuベースのディスト
  
 ### Threat hunting
 - **EQL**
+	- cheet sheet
+		```
+		- maldoc -> command,script
+		process where
+ 		parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe")
+		and process_name in ("powershell.exe", "cscript.exe",
+ 		"wscript.exe", "cmd.exe")
+		```
 
 ### .NET analysis
 - **[dnspy](https://github.com/0xd4d/dnSpy)<br>**