admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
96b0d12099969c5f6ed9c827b4ea8a7c8a11fb92
ghost/docs/DETECTION_METHODS.md
Adir Shitrit e6cf909e05 add technical documentation for detection methods
2025-11-08 11:05:35 +02:00

2.6 KiB
Raw Blame History

Detection Methods

This document details the techniques used by Ghost to detect process injection.

Memory-Based Detection

RWX Memory Regions

MITRE ATT&CK: T1055

Executable memory with write permissions is a strong indicator of code injection. Legitimate processes rarely need RWX pages except during JIT compilation.

Detection Logic:

  • Enumerate all memory regions in target process
  • Flag regions with PAGE_EXECUTE_READWRITE protection
  • Confidence increases with number of RWX regions

False Positives:

  • .NET/Java JIT compiler regions
  • V8/SpiderMonkey JavaScript engines
  • Legitimate debugging scenarios

Private Executable Memory

Private memory regions (not backed by files) with execute permissions often contain injected shellcode.

Detection Logic:

  • Check for MEM_PRIVATE regions with EXECUTE protection
  • Correlate with unsigned code patterns
  • Higher confidence if multiple regions present

Thread-Based Detection

Abnormal Thread Creation

MITRE ATT&CK: T1055.001 (DLL Injection), T1055.002 (Portable Executable Injection)

Monitors thread count changes over time. Sudden increases may indicate CreateRemoteThread injection.

Detection Logic:

  • Baseline thread count for each process
  • Alert on new threads created between scans
  • Cross-reference with memory analysis

Remote Thread Detection

Threads created by external processes via CreateRemoteThread or NtCreateThreadEx.

Detection Logic (Planned):

  • Compare thread creator PID with owner PID
  • Check thread start addresses against known modules
  • Flag threads starting in private memory regions

Heuristic Analysis

Confidence Scoring

Ghost uses weighted confidence scoring:

Indicator Weight Description
RWX regions 0.3 Per region detected
Private exec 0.4 >2 regions
New threads 0.2 Per thread created
Unsigned code 0.5 In executable region

Thresholds:

  • Clean: < 0.3
  • Suspicious: 0.3 - 0.7
  • Malicious: >= 0.7

Technique Coverage

Windows

  • Classic DLL injection detection
  • Memory region analysis
  • Thread enumeration
  • APC injection detection
  • Process hollowing detection
  • Hook detection (IAT/EAT)
  • Reflective DLL injection

Linux

  • ptrace injection
  • LD_PRELOAD detection
  • process_vm_writev monitoring
  • Shared memory inspection

macOS

  • DYLD_INSERT_LIBRARIES
  • task_for_pid monitoring
  • Mach port analysis

References

  • MITRE ATT&CK T1055: Process Injection
  • Windows Internals 7th Edition
  • "Process Injection Techniques" - Elastic Security
Reference in New Issue View Git Blame Copy Permalink