Ruleset
- Gap in Cyber Kill Chain https://de.wikipedia.org/wiki/Cyber_Kill_Chain
- Determined attack method in MITRE ATT&CK Matrix https://attack.mitre.org/ e.g. Execution : PowerShell (T1086)
- Search for a signature at the Cuckoo Sandbox Community repository https://github.com/cuckoosandbox/community/search?q=T1086&unscoped_q=T1086
- Or with a different analyser https://github.com/kevoreilly/community/search?q=T1086&unscoped_q=T1086
- Defining the expression rule in Peekaboo
- Virus has been found somewhere
- Sample is available
- Analysis of the sample with the desired analyser
- Manual report evaulation
- Extraction of IoCs and methodologies
- Defining the expression rule in Peekaboo