admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

main with mitre attack

Browse Source
This commit is contained in:
Adir Shitrit
2025-11-08 13:43:45 +02:00
parent 87c2c85fd7
commit dc230889dc
3 changed files with 132 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
ghost-cli/src/main.rs
View File

@@ -75,6 +75,18 @@ fn main() -> Result<()> {
.value_name("FILE")
.help("Load configuration from file"),
)
.arg(
Arg::new("mitre-analysis")
.long("mitre-analysis")
.action(clap::ArgAction::SetTrue)
.help("Enable MITRE ATT&CK framework analysis"),
)
.arg(
Arg::new("mitre-stats")
.long("mitre-stats")
.action(clap::ArgAction::SetTrue)
.help("Show MITRE ATT&CK framework statistics"),
)
.get_matches();
// Initialize logging based on debug flag
@@ -96,6 +108,8 @@ fn main() -> Result<()> {
let target_process = matches.get_one::<String>("process");
let output_file = matches.get_one::<String>("output");
let config_file = matches.get_one::<String>("config");
let mitre_analysis = matches.get_flag("mitre-analysis");
let mitre_stats = matches.get_flag("mitre-stats");
// Load configuration if specified
let config = if let Some(config_path) = config_file {
@@ -131,6 +145,34 @@ fn main() -> Result<()> {
anyhow::anyhow!("Detection engine initialization failed: {}", e)
})?;
// Display MITRE ATT&CK statistics if requested
if mitre_stats {
if !quiet {
println!("MITRE ATT&CK Framework Statistics:");
println!("==================================");
}
let (techniques, tactics, actors) = engine.get_mitre_stats();
if !quiet {
println!("Techniques: {}", techniques);
println!("Tactics: {}", tactics);
println!("Threat Actors: {}", actors);
println!("Matrix Version: 13.1");
println!("Framework Coverage:");
println!(" - Process Injection (T1055)");
println!(" - Process Hollowing (T1055.012)");
println!(" - Defense Evasion (TA0004)");
println!(" - Privilege Escalation (TA0005)");
println!(" - APT29 (Cozy Bear)");
println!();
}
// If only showing stats, exit here
if mitre_stats && target_pid.is_none() && target_process.is_none() {
return Ok(());
}
}
let processes = if let Some(pid_str) = target_pid {
let pid: u32 = pid_str.parse().map_err(|e| {
error!("Invalid PID format '{}': {}", pid_str, e);

68
ghost-core/src/detection.rs
View File

@@ -1,7 +1,8 @@
use crate::{
use crate::{
detect_hook_injection, AnomalyDetector, MemoryProtection, MemoryRegion,
ProcessInfo, ShellcodeDetector, ThreadInfo, ThreatIntelligence, ThreatContext,
EvasionDetector, EvasionResult, DetectionConfig, GhostError
EvasionDetector, EvasionResult, DetectionConfig, GhostError,
MitreAttackEngine, MitreAnalysisResult,
};
#[cfg(target_os = "linux")]
use crate::EbpfDetector;
@@ -23,6 +24,7 @@ pub struct DetectionResult {
pub confidence: f32,
pub threat_context: Option<ThreatContext>,
pub evasion_analysis: Option<EvasionResult>,
pub mitre_analysis: Option<MitreAnalysisResult>,
}
pub struct DetectionEngine {
@@ -32,6 +34,7 @@ pub struct DetectionEngine {
anomaly_detector: AnomalyDetector,
threat_intelligence: ThreatIntelligence,
evasion_detector: EvasionDetector,
mitre_engine: MitreAttackEngine,
config: Option<DetectionConfig>,
#[cfg(target_os = "linux")]
ebpf_detector: Option<EbpfDetector>,
@@ -55,6 +58,7 @@ impl DetectionEngine {
let anomaly_detector = AnomalyDetector::new();
let threat_intelligence = ThreatIntelligence::new();
let evasion_detector = EvasionDetector::new();
let mitre_engine = MitreAttackEngine::new()?;
#[cfg(target_os = "linux")]
let ebpf_detector = match EbpfDetector::new() {
@@ -79,6 +83,7 @@ impl DetectionEngine {
anomaly_detector,
threat_intelligence,
evasion_detector,
mitre_engine,
config,
#[cfg(target_os = "linux")]
ebpf_detector,
@@ -249,6 +254,7 @@ impl DetectionEngine {
confidence,
threat_context: None,
evasion_analysis: None,
mitre_analysis: None,
};
// Enrich with threat intelligence (async operation would be handled by caller)
@@ -478,6 +484,64 @@ impl DetectionEngine {
data
}
/// Perform comprehensive MITRE ATT&CK analysis
pub async fn analyze_with_mitre(
&self,
process: &ProcessInfo,
memory_regions: &[MemoryRegion],
threads: &[ThreadInfo],
) -> Result<MitreAnalysisResult, GhostError> {
self.mitre_engine.analyze_attack_patterns(process, memory_regions, threads).await
}
/// Enrich detection result with MITRE ATT&CK analysis
pub async fn enrich_with_mitre_analysis(
&self,
mut detection: DetectionResult,
memory_regions: &[MemoryRegion],
threads: &[ThreadInfo],
) -> DetectionResult {
if let Ok(mitre_analysis) = self.mitre_engine.analyze_attack_patterns(&detection.process, memory_regions, threads).await {
// Update threat level based on MITRE analysis
if mitre_analysis.risk_assessment.overall_risk_score > 0.8 {
detection.threat_level = ThreatLevel::Malicious;
} else if mitre_analysis.risk_assessment.overall_risk_score > 0.5 {
if detection.threat_level == ThreatLevel::Clean {
detection.threat_level = ThreatLevel::Suspicious;
}
}
// Add MITRE technique indicators
for technique in &mitre_analysis.detected_techniques {
detection.indicators.push(format!(
"MITRE {}: {} (confidence: {:.1}%)",
technique.technique.id,
technique.technique.name,
technique.confidence * 100.0
));
}
// Add threat actor matches
for actor_match in &mitre_analysis.threat_actor_matches {
detection.indicators.push(format!(
"Threat Actor Pattern: {} (match: {:.1}%)",
actor_match.threat_actor.name,
actor_match.match_confidence * 100.0
));
}
// Update confidence with MITRE insights
detection.confidence = (detection.confidence + mitre_analysis.risk_assessment.overall_risk_score) / 2.0;
detection.mitre_analysis = Some(mitre_analysis);
}
detection
}
pub fn get_mitre_stats(&self) -> (usize, usize, usize) {
self.mitre_engine.get_framework_stats()
}
}
impl Default for DetectionEngine {

25
ghost-core/src/lib.rs
View File

@@ -1,4 +1,5 @@
pub mod anomaly;
pub mod behavioral_ml;
pub mod config;
pub mod detection;
pub mod ebpf;
@@ -7,14 +8,23 @@ pub mod error;
pub mod evasion;
pub mod hollowing;
pub mod hooks;
pub mod live_feeds;
pub mod memory;
pub mod mitre_attack;
pub mod ml_cloud;
pub mod neural_memory;
pub mod process;
pub mod shellcode;
pub mod streaming;
pub mod thread;
pub mod threat_intel;
pub mod yara_engine;
pub use anomaly::{AnomalyDetector, AnomalyScore, ProcessFeatures};
pub use behavioral_ml::{
AdvancedBehavioralML, BehavioralAnalysisResult, PredictedTechnique, BehavioralAnomaly,
ModelConsensus, TemporalAnalysis, RiskLevel
};
pub use config::{DetectionConfig, ProcessFilter};
pub use detection::{DetectionEngine, DetectionResult, ThreatLevel};
#[cfg(target_os = "linux")]
@@ -26,7 +36,17 @@ pub use evasion::{
};
pub use hollowing::{HollowingDetection, HollowingDetector, HollowingIndicator};
pub use hooks::{detect_hook_injection, HookDetectionResult, HookInfo};
pub use live_feeds::{LiveThreatFeeds, ThreatFeed, FeedType};
pub use memory::{MemoryProtection, MemoryRegion};
pub use mitre_attack::{
MitreAttackEngine, MitreAnalysisResult, AttackTechnique, AttackTactic, ThreatActor,
DetectedTechnique, TacticCoverage, ThreatActorMatch, KillChainAnalysis, RiskAssessment
};
pub use ml_cloud::{CloudMLEngine, InferenceResult, MLModel, ThreatPrediction, ThreatSeverity};
pub use neural_memory::{
NeuralMemoryAnalyzer, NeuralAnalysisResult, DetectedPattern, DetectedEvasion,
PolymorphicIndicator, MemoryAnomaly, NeuralInsights, PatternType, EvasionCategory
};
pub use process::ProcessInfo;
pub use shellcode::{ShellcodeDetection, ShellcodeDetector};
pub use streaming::{
@@ -36,5 +56,8 @@ pub use streaming::{
pub use thread::ThreadInfo;
pub use threat_intel::{
ThreatIntelligence, ThreatContext, IndicatorOfCompromise,
ThreatActor, Campaign, IocType, SophisticationLevel
ThreatActor as ThreatIntelActor, Campaign, IocType, SophisticationLevel
};
pub use yara_engine::{
DynamicYaraEngine, YaraRuleSource, YaraScanResult, RuleMatch, ThreatLevel as YaraThreatLevel
};