# MITRE ATT&CK Detection Coverage Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. ## Process Injection (T1055) ### T1055.001 - Dynamic-link Library Injection - **Detection**: Hook-based injection detection (`hooks.rs`) - **Indicators**: - SetWindowsHookEx API monitoring - Suspicious DLL loading patterns - Global hook chain analysis - **Confidence**: High (0.8-0.9) ### T1055.002 - Portable Executable Injection - **Detection**: Shellcode pattern detection (`shellcode.rs`) - **Indicators**: - PE headers in private memory regions - Meterpreter payload signatures - High entropy executable regions - **Confidence**: High (0.7-0.9) ### T1055.003 - Thread Execution Hijacking - **Detection**: Thread analysis (`thread.rs`, `detection.rs`) - **Indicators**: - Threads with unusual start addresses - High ratio of recently created threads - Thread count anomalies - **Confidence**: Medium (0.5-0.7) ### T1055.004 - Asynchronous Procedure Call - **Detection**: Memory pattern analysis - **Indicators**: - Suspicious memory layout changes - RWX region proliferation - Thread creation spikes - **Confidence**: Medium (0.4-0.6) ### T1055.012 - Process Hollowing - **Detection**: Comprehensive hollowing detection (`hollowing.rs`) - **Indicators**: - Unmapped main executable image - Suspicious memory gaps (>16MB) - PE header mismatches - Unusual entry point locations - Memory layout anomalies - **Confidence**: Very High (0.8-1.0) ## Defense Evasion (TA0005) ### T1027 - Obfuscated Files or Information - **Detection**: Entropy analysis in shellcode detector - **Indicators**: - High entropy regions (>7.0 Shannon entropy) - Encrypted/packed code patterns - **Confidence**: Medium (0.6-0.8) ### T1055 - Process Injection (General) - **Detection**: Multi-layered approach across all modules - **Indicators**: Combination of all injection-specific indicators - **Confidence**: Varies by technique ### T1036 - Masquerading - **Detection**: Process metadata analysis - **Indicators**: - Process name/path mismatches - Suspicious parent-child relationships - **Confidence**: Low-Medium (0.3-0.6) ## Execution (TA0002) ### T1106 - Native API - **Detection**: Memory pattern analysis, syscall indicators - **Indicators**: - Direct syscall usage patterns - Unusual API call sequences - **Confidence**: Medium (0.5-0.7) ### T1055 - Process Injection - **Detection**: Primary focus of Ghost detection engine - **Coverage**: Comprehensive across all sub-techniques ## Detection Methodology ### Heuristic Analysis 1. **Memory Layout Analysis** - RWX region detection - Memory gap analysis - Region size anomalies 2. **Behavioral Patterns** - Thread creation patterns - Hook installation monitoring - Process lifecycle anomalies 3. **Signature Matching** - Known shellcode patterns - Malware family signatures - API usage fingerprints ### Confidence Scoring - **0.9-1.0**: Very High - Multiple strong indicators - **0.7-0.8**: High - Clear malicious patterns - **0.5-0.6**: Medium - Suspicious but may be legitimate - **0.3-0.4**: Low - Anomalous but likely false positive - **0.0-0.2**: Very Low - Minimal suspicious activity ## Coverage Matrix | Technique | Detection Module | Implementation Status | Test Coverage | |-----------|------------------|----------------------|---------------| | T1055.001 | hooks.rs | ✅ Complete | ✅ Tested | | T1055.002 | shellcode.rs | ✅ Complete | ✅ Tested | | T1055.003 | thread.rs | ✅ Complete | ✅ Tested | | T1055.004 | detection.rs | ⚠️ Partial | ✅ Tested | | T1055.012 | hollowing.rs | ✅ Complete | ✅ Tested | | T1027 | shellcode.rs | ✅ Complete | ✅ Tested | | T1036 | process.rs | ⚠️ Partial | ❌ Pending | | T1106 | detection.rs | ⚠️ Basic | ❌ Pending | ## Future Enhancements ### High Priority - **T1055.008** - Ptrace System Calls (Linux) - **T1055.009** - Proc Memory (Linux) - **T1055.013** - Process Doppelgänging - **T1055.014** - VDSO Hijacking (Linux) ### Medium Priority - **T1134** - Access Token Manipulation - **T1548.002** - Bypass User Account Control - **T1562.001** - Disable or Modify Tools ### Research Areas - Machine learning-based anomaly detection - Graph analysis of process relationships - Timeline analysis for attack progression - Integration with threat intelligence feeds ## References - [MITRE ATT&CK Framework](https://attack.mitre.org/) - [Process Injection Techniques](https://attack.mitre.org/techniques/T1055/) - [Windows Process Injection Research](https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process) - [Linux Process Injection](https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md) --- *Coverage updated: November 2024* *Next review: December 2024*