Update malware-analysis_ref_and_memo.md

2024-06-10 21:32:07 +07:00 · 2020-03-20 14:59:22 +09:00 · 2020-03-20 14:59:22 +09:00 · de2ff988ee
commit de2ff988ee
parent d974d0f3f3
1 changed files with 8 additions and 0 deletions
--- a/malware-analysis_ref_and_memo.md
+++ b/malware-analysis_ref_and_memo.md
@ -159,6 +159,14 @@ DFIR,マルウェア解析，OSINTに特化したUbuntuベースのディスト
 
 ### Threat hunting
 - **EQL**
+	- cheet sheet
+		```
+		- maldoc -> command,script
+		process where
+ 		parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe")
+		and process_name in ("powershell.exe", "cscript.exe",
+ 		"wscript.exe", "cmd.exe")
+		```

 ### .NET analysis
 - **[dnspy](https://github.com/0xd4d/dnSpy)<br>**