From a90a6d8091f772d58ed285b7432505ef9e26d3e9 Mon Sep 17 00:00:00 2001 From: Adir Shitrit Date: Sat, 8 Nov 2025 11:49:27 +0200 Subject: [PATCH] expand MITRE ATT&CK technique coverage mapping --- docs/MITRE_ATTACK_COVERAGE.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/MITRE_ATTACK_COVERAGE.md b/docs/MITRE_ATTACK_COVERAGE.md index cd26d00..8339b0d 100644 --- a/docs/MITRE_ATTACK_COVERAGE.md +++ b/docs/MITRE_ATTACK_COVERAGE.md @@ -5,6 +5,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. ## Process Injection (T1055) ### T1055.001 - Dynamic-link Library Injection + - **Detection**: Hook-based injection detection (`hooks.rs`) - **Indicators**: - SetWindowsHookEx API monitoring @@ -13,6 +14,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. - **Confidence**: High (0.8-0.9) ### T1055.002 - Portable Executable Injection + - **Detection**: Shellcode pattern detection (`shellcode.rs`) - **Indicators**: - PE headers in private memory regions @@ -21,6 +23,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. - **Confidence**: High (0.7-0.9) ### T1055.003 - Thread Execution Hijacking + - **Detection**: Thread analysis (`thread.rs`, `detection.rs`) - **Indicators**: - Threads with unusual start addresses @@ -29,6 +32,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. - **Confidence**: Medium (0.5-0.7) ### T1055.004 - Asynchronous Procedure Call + - **Detection**: Memory pattern analysis - **Indicators**: - Suspicious memory layout changes @@ -37,6 +41,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. - **Confidence**: Medium (0.4-0.6) ### T1055.012 - Process Hollowing + - **Detection**: Comprehensive hollowing detection (`hollowing.rs`) - **Indicators**: - Unmapped main executable image @@ -49,6 +54,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. ## Defense Evasion (TA0005) ### T1027 - Obfuscated Files or Information + - **Detection**: Entropy analysis in shellcode detector - **Indicators**: - High entropy regions (>7.0 Shannon entropy) @@ -56,11 +62,13 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. - **Confidence**: Medium (0.6-0.8) ### T1055 - Process Injection (General) + - **Detection**: Multi-layered approach across all modules - **Indicators**: Combination of all injection-specific indicators - **Confidence**: Varies by technique ### T1036 - Masquerading + - **Detection**: Process metadata analysis - **Indicators**: - Process name/path mismatches @@ -70,6 +78,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. ## Execution (TA0002) ### T1106 - Native API + - **Detection**: Memory pattern analysis, syscall indicators - **Indicators**: - Direct syscall usage patterns @@ -77,12 +86,14 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. - **Confidence**: Medium (0.5-0.7) ### T1055 - Process Injection + - **Detection**: Primary focus of Ghost detection engine - **Coverage**: Comprehensive across all sub-techniques ## Detection Methodology ### Heuristic Analysis + 1. **Memory Layout Analysis** - RWX region detection - Memory gap analysis @@ -99,6 +110,7 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. - API usage fingerprints ### Confidence Scoring + - **0.9-1.0**: Very High - Multiple strong indicators - **0.7-0.8**: High - Clear malicious patterns - **0.5-0.6**: Medium - Suspicious but may be legitimate @@ -121,17 +133,20 @@ Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. ## Future Enhancements ### High Priority + - **T1055.008** - Ptrace System Calls (Linux) - **T1055.009** - Proc Memory (Linux) - **T1055.013** - Process Doppelgänging - **T1055.014** - VDSO Hijacking (Linux) ### Medium Priority + - **T1134** - Access Token Manipulation - **T1548.002** - Bypass User Account Control - **T1562.001** - Disable or Modify Tools ### Research Areas + - Machine learning-based anomaly detection - Graph analysis of process relationships - Timeline analysis for attack progression