From f53670e33391a1c43fe49c11f085254662cfc75c Mon Sep 17 00:00:00 2001
From: mether049 <cstt17009@g.nihon-u.ac.jp>
Date: Fri, 20 Mar 2020 15:03:55 +0900
Subject: [PATCH] Update malware-analysis_ref_and_memo.md

---
 malware-analysis_ref_and_memo.md | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/malware-analysis_ref_and_memo.md b/malware-analysis_ref_and_memo.md
index f50d3fe..f3f82ac 100644
--- a/malware-analysis_ref_and_memo.md
+++ b/malware-analysis_ref_and_memo.md
@@ -161,11 +161,29 @@ DFIR,マルウェア解析，OSINTに特化したUbuntuベースのディスト
 - **EQL**
 	- cheet sheet
 		```
-		- maldoc -> command,script
+		# maldoc -> command,script
 		process where
  		parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe")
-		and process_name in ("powershell.exe", "cscript.exe",
- 		"wscript.exe", "cmd.exe")
+		and process_name in ("powershell.exe", "cscript.exe","wscript.exe", "cmd.exe")
+		
+		# Unusual Child Process
+		process where 
+		subtype.create and
+		(
+  			(process_name == 'smss.exe' and not parent_process_name in ('System', 'smss.exe')) or
+  			(process_name == 'csrss.exe' and not parent_process_name in ('smss.exe', 'svchost.exe')) or
+ 			(process_name == 'wininit.exe' and parent_process_name != 'smss.exe') or
+  			(process_name == 'winlogon.exe' and parent_process_name != 'smss.exe') or
+  			(process_name == 'lsass.exe' and parent_process_name != 'wininit.exe') or
+  			(process_name == 'LogonUI.exe' and not parent_process_name in ('winlogon.exe', 'wininit.exe')) or
+  			(process_name == 'services.exe' and parent_process_name != 'wininit.exe') or
+ 			(process_name == 'svchost.exe' and parent_process_name != 'services.exe' and
+      			not (parent_process_path == '*\\system32\\svchost.exe' and process_path ==  '*\\syswow64\\svchost.exe')) or
+  			(process_name == 'spoolsv.exe' and parent_process_name != 'services.exe') or
+ 			(process_name == 'taskhost.exe' and not parent_process_name in ('services.exe', 'svchost.exe')) or
+  			(process_name == 'taskhostw.exe' and not parent_process_name in ('services.exe', 'svchost.exe')) or
+  			(process_name == 'userinit.exe' and not parent_process_name in ('dwm.exe', 'winlogon.exe'))
+		)
 		```
 
 ### .NET analysis