expand MITRE ATT&CK technique coverage mapping

docs/MITRE_ATTACK_COVERAGE.md

@@ -5,6 +5,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 ## Process Injection (T1055)
 
 ### T1055.001 - Dynamic-link Library Injection
+
 - **Detection**: Hook-based injection detection (`hooks.rs`)
 - **Indicators**: 
   - SetWindowsHookEx API monitoring
@@ -13,6 +14,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 - **Confidence**: High (0.8-0.9)
 
 ### T1055.002 - Portable Executable Injection  
+
 - **Detection**: Shellcode pattern detection (`shellcode.rs`)
 - **Indicators**:
   - PE headers in private memory regions
@@ -21,6 +23,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 - **Confidence**: High (0.7-0.9)
 
 ### T1055.003 - Thread Execution Hijacking
+
 - **Detection**: Thread analysis (`thread.rs`, `detection.rs`)
 - **Indicators**:
   - Threads with unusual start addresses
@@ -29,6 +32,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 - **Confidence**: Medium (0.5-0.7)
 
 ### T1055.004 - Asynchronous Procedure Call
+
 - **Detection**: Memory pattern analysis
 - **Indicators**:
   - Suspicious memory layout changes
@@ -37,6 +41,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 - **Confidence**: Medium (0.4-0.6)
 
 ### T1055.012 - Process Hollowing
+
 - **Detection**: Comprehensive hollowing detection (`hollowing.rs`)
 - **Indicators**:
   - Unmapped main executable image
@@ -49,6 +54,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 ## Defense Evasion (TA0005)
 
 ### T1027 - Obfuscated Files or Information
+
 - **Detection**: Entropy analysis in shellcode detector
 - **Indicators**:
   - High entropy regions (>7.0 Shannon entropy)
@@ -56,11 +62,13 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 - **Confidence**: Medium (0.6-0.8)
 
 ### T1055 - Process Injection (General)
+
 - **Detection**: Multi-layered approach across all modules
 - **Indicators**: Combination of all injection-specific indicators
 - **Confidence**: Varies by technique
 
 ### T1036 - Masquerading
+
 - **Detection**: Process metadata analysis
 - **Indicators**:
   - Process name/path mismatches
@@ -70,6 +78,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 ## Execution (TA0002)
 
 ### T1106 - Native API
+
 - **Detection**: Memory pattern analysis, syscall indicators
 - **Indicators**:
   - Direct syscall usage patterns
@@ -77,12 +86,14 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 - **Confidence**: Medium (0.5-0.7)
 
 ### T1055 - Process Injection
+
 - **Detection**: Primary focus of Ghost detection engine
 - **Coverage**: Comprehensive across all sub-techniques
 
 ## Detection Methodology
 
 ### Heuristic Analysis
+
 1. **Memory Layout Analysis**
    - RWX region detection
    - Memory gap analysis
@@ -99,6 +110,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
    - API usage fingerprints
 
 ### Confidence Scoring
+
 - **0.9-1.0**: Very High - Multiple strong indicators
 - **0.7-0.8**: High - Clear malicious patterns
 - **0.5-0.6**: Medium - Suspicious but may be legitimate
@@ -121,17 +133,20 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
 ## Future Enhancements
 
 ### High Priority
+
 - **T1055.008** - Ptrace System Calls (Linux)
 - **T1055.009** - Proc Memory (Linux) 
 - **T1055.013** - Process Doppelgänging
 - **T1055.014** - VDSO Hijacking (Linux)
 
 ### Medium Priority  
+
 - **T1134** - Access Token Manipulation
 - **T1548.002** - Bypass User Account Control
 - **T1562.001** - Disable or Modify Tools
 
 ### Research Areas
+
 - Machine learning-based anomaly detection
 - Graph analysis of process relationships
 - Timeline analysis for attack progression