Update malware-analysis_ref_and_memo.md

malware-analysis_ref_and_memo.md

@@ -161,11 +161,29 @@ DFIR,マルウェア解析，OSINTに特化したUbuntuベースのディスト
 - **EQL**
 	- cheet sheet
 		```
-		- maldoc -> command,script
+		# maldoc -> command,script
 		process where
  		parent_process_name in ("winword.exe", "excel.exe", "powerpnt.exe")
-		and process_name in ("powershell.exe", "cscript.exe",
- 		"wscript.exe", "cmd.exe")
+		and process_name in ("powershell.exe", "cscript.exe","wscript.exe", "cmd.exe")
+		
+		# Unusual Child Process
+		process where 
+		subtype.create and
+		(
+  			(process_name == 'smss.exe' and not parent_process_name in ('System', 'smss.exe')) or
+  			(process_name == 'csrss.exe' and not parent_process_name in ('smss.exe', 'svchost.exe')) or
+ 			(process_name == 'wininit.exe' and parent_process_name != 'smss.exe') or
+  			(process_name == 'winlogon.exe' and parent_process_name != 'smss.exe') or
+  			(process_name == 'lsass.exe' and parent_process_name != 'wininit.exe') or
+  			(process_name == 'LogonUI.exe' and not parent_process_name in ('winlogon.exe', 'wininit.exe')) or
+  			(process_name == 'services.exe' and parent_process_name != 'wininit.exe') or
+ 			(process_name == 'svchost.exe' and parent_process_name != 'services.exe' and
+      			not (parent_process_path == '*\\system32\\svchost.exe' and process_path ==  '*\\syswow64\\svchost.exe')) or
+  			(process_name == 'spoolsv.exe' and parent_process_name != 'services.exe') or
+ 			(process_name == 'taskhost.exe' and not parent_process_name in ('services.exe', 'svchost.exe')) or
+  			(process_name == 'taskhostw.exe' and not parent_process_name in ('services.exe', 'svchost.exe')) or
+  			(process_name == 'userinit.exe' and not parent_process_name in ('dwm.exe', 'winlogon.exe'))
+		)
 		```
 
 ### .NET analysis