add technical documentation for detection methods
This commit is contained in:
Adir Shitrit
101
docs/DETECTION_METHODS.md
Normal file
101
docs/DETECTION_METHODS.md
Normal file
@@ -0,0 +1,101 @@
|
|||||||
|
# Detection Methods
|
||||||
|
|
||||||
|
This document details the techniques used by Ghost to detect process injection.
|
||||||
|
|
||||||
|
## Memory-Based Detection
|
||||||
|
|
||||||
|
### RWX Memory Regions
|
||||||
|
|
||||||
|
**MITRE ATT&CK**: T1055
|
||||||
|
|
||||||
|
Executable memory with write permissions is a strong indicator of code injection. Legitimate processes rarely need RWX pages except during JIT compilation.
|
||||||
|
|
||||||
|
**Detection Logic**:
|
||||||
|
- Enumerate all memory regions in target process
|
||||||
|
- Flag regions with PAGE_EXECUTE_READWRITE protection
|
||||||
|
- Confidence increases with number of RWX regions
|
||||||
|
|
||||||
|
**False Positives**:
|
||||||
|
- .NET/Java JIT compiler regions
|
||||||
|
- V8/SpiderMonkey JavaScript engines
|
||||||
|
- Legitimate debugging scenarios
|
||||||
|
|
||||||
|
### Private Executable Memory
|
||||||
|
|
||||||
|
Private memory regions (not backed by files) with execute permissions often contain injected shellcode.
|
||||||
|
|
||||||
|
**Detection Logic**:
|
||||||
|
- Check for MEM_PRIVATE regions with EXECUTE protection
|
||||||
|
- Correlate with unsigned code patterns
|
||||||
|
- Higher confidence if multiple regions present
|
||||||
|
|
||||||
|
## Thread-Based Detection
|
||||||
|
|
||||||
|
### Abnormal Thread Creation
|
||||||
|
|
||||||
|
**MITRE ATT&CK**: T1055.001 (DLL Injection), T1055.002 (Portable Executable Injection)
|
||||||
|
|
||||||
|
Monitors thread count changes over time. Sudden increases may indicate CreateRemoteThread injection.
|
||||||
|
|
||||||
|
**Detection Logic**:
|
||||||
|
- Baseline thread count for each process
|
||||||
|
- Alert on new threads created between scans
|
||||||
|
- Cross-reference with memory analysis
|
||||||
|
|
||||||
|
### Remote Thread Detection
|
||||||
|
|
||||||
|
Threads created by external processes via CreateRemoteThread or NtCreateThreadEx.
|
||||||
|
|
||||||
|
**Detection Logic** (Planned):
|
||||||
|
- Compare thread creator PID with owner PID
|
||||||
|
- Check thread start addresses against known modules
|
||||||
|
- Flag threads starting in private memory regions
|
||||||
|
|
||||||
|
## Heuristic Analysis
|
||||||
|
|
||||||
|
### Confidence Scoring
|
||||||
|
|
||||||
|
Ghost uses weighted confidence scoring:
|
||||||
|
|
||||||
|
| Indicator | Weight | Description |
|
||||||
|
|-----------|--------|-------------|
|
||||||
|
| RWX regions | 0.3 | Per region detected |
|
||||||
|
| Private exec | 0.4 | >2 regions |
|
||||||
|
| New threads | 0.2 | Per thread created |
|
||||||
|
| Unsigned code | 0.5 | In executable region |
|
||||||
|
|
||||||
|
**Thresholds**:
|
||||||
|
- Clean: < 0.3
|
||||||
|
- Suspicious: 0.3 - 0.7
|
||||||
|
- Malicious: >= 0.7
|
||||||
|
|
||||||
|
## Technique Coverage
|
||||||
|
|
||||||
|
### Windows
|
||||||
|
|
||||||
|
- [x] Classic DLL injection detection
|
||||||
|
- [x] Memory region analysis
|
||||||
|
- [x] Thread enumeration
|
||||||
|
- [ ] APC injection detection
|
||||||
|
- [ ] Process hollowing detection
|
||||||
|
- [ ] Hook detection (IAT/EAT)
|
||||||
|
- [ ] Reflective DLL injection
|
||||||
|
|
||||||
|
### Linux
|
||||||
|
|
||||||
|
- [ ] ptrace injection
|
||||||
|
- [ ] LD_PRELOAD detection
|
||||||
|
- [ ] process_vm_writev monitoring
|
||||||
|
- [ ] Shared memory inspection
|
||||||
|
|
||||||
|
### macOS
|
||||||
|
|
||||||
|
- [ ] DYLD_INSERT_LIBRARIES
|
||||||
|
- [ ] task_for_pid monitoring
|
||||||
|
- [ ] Mach port analysis
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- MITRE ATT&CK T1055: Process Injection
|
||||||
|
- Windows Internals 7th Edition
|
||||||
|
- "Process Injection Techniques" - Elastic Security
|
||||||
Reference in New Issue
Block a user