From dc230889dc5b3deb4fbdd69b3dcecd15b6ab93bd Mon Sep 17 00:00:00 2001
From: Adir Shitrit <adirshit212@gmail.com>
Date: Sat, 8 Nov 2025 13:43:45 +0200
Subject: [PATCH] main with mitre attack

---
 ghost-cli/src/main.rs       | 42 +++++++++++++++++++++++
 ghost-core/src/detection.rs | 68 +++++++++++++++++++++++++++++++++++--
 ghost-core/src/lib.rs       | 25 +++++++++++++-
 3 files changed, 132 insertions(+), 3 deletions(-)

diff --git a/ghost-cli/src/main.rs b/ghost-cli/src/main.rs
index 8f79ed7..c2ae5cc 100644
--- a/ghost-cli/src/main.rs
+++ b/ghost-cli/src/main.rs
@@ -75,6 +75,18 @@ fn main() -> Result<()> {
                 .value_name("FILE")
                 .help("Load configuration from file"),
         )
+        .arg(
+            Arg::new("mitre-analysis")
+                .long("mitre-analysis")
+                .action(clap::ArgAction::SetTrue)
+                .help("Enable MITRE ATT&CK framework analysis"),
+        )
+        .arg(
+            Arg::new("mitre-stats")
+                .long("mitre-stats")
+                .action(clap::ArgAction::SetTrue)
+                .help("Show MITRE ATT&CK framework statistics"),
+        )
         .get_matches();
 
     // Initialize logging based on debug flag
@@ -96,6 +108,8 @@ fn main() -> Result<()> {
     let target_process = matches.get_one::<String>("process");
     let output_file = matches.get_one::<String>("output");
     let config_file = matches.get_one::<String>("config");
+    let mitre_analysis = matches.get_flag("mitre-analysis");
+    let mitre_stats = matches.get_flag("mitre-stats");
 
     // Load configuration if specified
     let config = if let Some(config_path) = config_file {
@@ -131,6 +145,34 @@ fn main() -> Result<()> {
         anyhow::anyhow!("Detection engine initialization failed: {}", e)
     })?;
     
+    // Display MITRE ATT&CK statistics if requested
+    if mitre_stats {
+        if !quiet {
+            println!("MITRE ATT&CK Framework Statistics:");
+            println!("==================================");
+        }
+        
+        let (techniques, tactics, actors) = engine.get_mitre_stats();
+        if !quiet {
+            println!("Techniques: {}", techniques);
+            println!("Tactics: {}", tactics);
+            println!("Threat Actors: {}", actors);
+            println!("Matrix Version: 13.1");
+            println!("Framework Coverage:");
+            println!("  - Process Injection (T1055)");
+            println!("  - Process Hollowing (T1055.012)");
+            println!("  - Defense Evasion (TA0004)");
+            println!("  - Privilege Escalation (TA0005)");
+            println!("  - APT29 (Cozy Bear)");
+            println!();
+        }
+        
+        // If only showing stats, exit here
+        if mitre_stats && target_pid.is_none() && target_process.is_none() {
+            return Ok(());
+        }
+    }
+    
     let processes = if let Some(pid_str) = target_pid {
         let pid: u32 = pid_str.parse().map_err(|e| {
             error!("Invalid PID format '{}': {}", pid_str, e);
diff --git a/ghost-core/src/detection.rs b/ghost-core/src/detection.rs
index b19162c..36e0afc 100644
--- a/ghost-core/src/detection.rs
+++ b/ghost-core/src/detection.rs
@@ -1,7 +1,8 @@
-use crate::{
+use crate::{
     detect_hook_injection, AnomalyDetector, MemoryProtection, MemoryRegion, 
     ProcessInfo, ShellcodeDetector, ThreadInfo, ThreatIntelligence, ThreatContext,
-    EvasionDetector, EvasionResult, DetectionConfig, GhostError
+    EvasionDetector, EvasionResult, DetectionConfig, GhostError,
+    MitreAttackEngine, MitreAnalysisResult,
 };
 #[cfg(target_os = "linux")]
 use crate::EbpfDetector;
@@ -23,6 +24,7 @@ pub struct DetectionResult {
     pub confidence: f32,
     pub threat_context: Option<ThreatContext>,
     pub evasion_analysis: Option<EvasionResult>,
+    pub mitre_analysis: Option<MitreAnalysisResult>,
 }
 
 pub struct DetectionEngine {
@@ -32,6 +34,7 @@ pub struct DetectionEngine {
     anomaly_detector: AnomalyDetector,
     threat_intelligence: ThreatIntelligence,
     evasion_detector: EvasionDetector,
+    mitre_engine: MitreAttackEngine,
     config: Option<DetectionConfig>,
     #[cfg(target_os = "linux")]
     ebpf_detector: Option<EbpfDetector>,
@@ -55,6 +58,7 @@ impl DetectionEngine {
         let anomaly_detector = AnomalyDetector::new();
         let threat_intelligence = ThreatIntelligence::new();
         let evasion_detector = EvasionDetector::new();
+        let mitre_engine = MitreAttackEngine::new()?;
         
         #[cfg(target_os = "linux")]
         let ebpf_detector = match EbpfDetector::new() {
@@ -79,6 +83,7 @@ impl DetectionEngine {
             anomaly_detector,
             threat_intelligence,
             evasion_detector,
+            mitre_engine,
             config,
             #[cfg(target_os = "linux")]
             ebpf_detector,
@@ -249,6 +254,7 @@ impl DetectionEngine {
             confidence,
             threat_context: None,
             evasion_analysis: None,
+            mitre_analysis: None,
         };
 
         // Enrich with threat intelligence (async operation would be handled by caller)
@@ -478,6 +484,64 @@ impl DetectionEngine {
 
         data
     }
+
+    /// Perform comprehensive MITRE ATT&CK analysis
+    pub async fn analyze_with_mitre(
+        &self,
+        process: &ProcessInfo,
+        memory_regions: &[MemoryRegion],
+        threads: &[ThreadInfo],
+    ) -> Result<MitreAnalysisResult, GhostError> {
+        self.mitre_engine.analyze_attack_patterns(process, memory_regions, threads).await
+    }
+
+    /// Enrich detection result with MITRE ATT&CK analysis
+    pub async fn enrich_with_mitre_analysis(
+        &self,
+        mut detection: DetectionResult,
+        memory_regions: &[MemoryRegion],
+        threads: &[ThreadInfo],
+    ) -> DetectionResult {
+        if let Ok(mitre_analysis) = self.mitre_engine.analyze_attack_patterns(&detection.process, memory_regions, threads).await {
+            // Update threat level based on MITRE analysis
+            if mitre_analysis.risk_assessment.overall_risk_score > 0.8 {
+                detection.threat_level = ThreatLevel::Malicious;
+            } else if mitre_analysis.risk_assessment.overall_risk_score > 0.5 {
+                if detection.threat_level == ThreatLevel::Clean {
+                    detection.threat_level = ThreatLevel::Suspicious;
+                }
+            }
+
+            // Add MITRE technique indicators
+            for technique in &mitre_analysis.detected_techniques {
+                detection.indicators.push(format!(
+                    "MITRE {}: {} (confidence: {:.1}%)",
+                    technique.technique.id,
+                    technique.technique.name,
+                    technique.confidence * 100.0
+                ));
+            }
+
+            // Add threat actor matches
+            for actor_match in &mitre_analysis.threat_actor_matches {
+                detection.indicators.push(format!(
+                    "Threat Actor Pattern: {} (match: {:.1}%)",
+                    actor_match.threat_actor.name,
+                    actor_match.match_confidence * 100.0
+                ));
+            }
+
+            // Update confidence with MITRE insights
+            detection.confidence = (detection.confidence + mitre_analysis.risk_assessment.overall_risk_score) / 2.0;
+            detection.mitre_analysis = Some(mitre_analysis);
+        }
+
+        detection
+    }
+
+    pub fn get_mitre_stats(&self) -> (usize, usize, usize) {
+        self.mitre_engine.get_framework_stats()
+    }
 }
 
 impl Default for DetectionEngine {
diff --git a/ghost-core/src/lib.rs b/ghost-core/src/lib.rs
index 1a4d727..cd77859 100644
--- a/ghost-core/src/lib.rs
+++ b/ghost-core/src/lib.rs
@@ -1,4 +1,5 @@
 pub mod anomaly;
+pub mod behavioral_ml;
 pub mod config;
 pub mod detection;
 pub mod ebpf;
@@ -7,14 +8,23 @@ pub mod error;
 pub mod evasion;
 pub mod hollowing;
 pub mod hooks;
+pub mod live_feeds;
 pub mod memory;
+pub mod mitre_attack;
+pub mod ml_cloud;
+pub mod neural_memory;
 pub mod process;
 pub mod shellcode;
 pub mod streaming;
 pub mod thread;
 pub mod threat_intel;
+pub mod yara_engine;
 
 pub use anomaly::{AnomalyDetector, AnomalyScore, ProcessFeatures};
+pub use behavioral_ml::{
+    AdvancedBehavioralML, BehavioralAnalysisResult, PredictedTechnique, BehavioralAnomaly,
+    ModelConsensus, TemporalAnalysis, RiskLevel
+};
 pub use config::{DetectionConfig, ProcessFilter};
 pub use detection::{DetectionEngine, DetectionResult, ThreatLevel};
 #[cfg(target_os = "linux")]
@@ -26,7 +36,17 @@ pub use evasion::{
 };
 pub use hollowing::{HollowingDetection, HollowingDetector, HollowingIndicator};
 pub use hooks::{detect_hook_injection, HookDetectionResult, HookInfo};
+pub use live_feeds::{LiveThreatFeeds, ThreatFeed, FeedType};
 pub use memory::{MemoryProtection, MemoryRegion};
+pub use mitre_attack::{
+    MitreAttackEngine, MitreAnalysisResult, AttackTechnique, AttackTactic, ThreatActor,
+    DetectedTechnique, TacticCoverage, ThreatActorMatch, KillChainAnalysis, RiskAssessment
+};
+pub use ml_cloud::{CloudMLEngine, InferenceResult, MLModel, ThreatPrediction, ThreatSeverity};
+pub use neural_memory::{
+    NeuralMemoryAnalyzer, NeuralAnalysisResult, DetectedPattern, DetectedEvasion,
+    PolymorphicIndicator, MemoryAnomaly, NeuralInsights, PatternType, EvasionCategory
+};
 pub use process::ProcessInfo;
 pub use shellcode::{ShellcodeDetection, ShellcodeDetector};
 pub use streaming::{
@@ -36,5 +56,8 @@ pub use streaming::{
 pub use thread::ThreadInfo;
 pub use threat_intel::{
     ThreatIntelligence, ThreatContext, IndicatorOfCompromise,
-    ThreatActor, Campaign, IocType, SophisticationLevel
+    ThreatActor as ThreatIntelActor, Campaign, IocType, SophisticationLevel
+};
+pub use yara_engine::{
+    DynamicYaraEngine, YaraRuleSource, YaraScanResult, RuleMatch, ThreatLevel as YaraThreatLevel
 };