admin/ghost

Files

Adir Shitrit a90a6d8091 expand MITRE ATT&CK technique coverage mapping

2025-11-08 11:49:27 +02:00

4.8 KiB

Raw Blame History

MITRE ATT&CK Detection Coverage

Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.

Process Injection (T1055)

T1055.001 - Dynamic-link Library Injection

Detection: Hook-based injection detection (hooks.rs)
Indicators:
- SetWindowsHookEx API monitoring
- Suspicious DLL loading patterns
- Global hook chain analysis
Confidence: High (0.8-0.9)

T1055.002 - Portable Executable Injection

Detection: Shellcode pattern detection (shellcode.rs)
Indicators:
- PE headers in private memory regions
- Meterpreter payload signatures
- High entropy executable regions
Confidence: High (0.7-0.9)

T1055.003 - Thread Execution Hijacking

Detection: Thread analysis (thread.rs, detection.rs)
Indicators:
- Threads with unusual start addresses
- High ratio of recently created threads
- Thread count anomalies
Confidence: Medium (0.5-0.7)

T1055.004 - Asynchronous Procedure Call

Detection: Memory pattern analysis
Indicators:
- Suspicious memory layout changes
- RWX region proliferation
- Thread creation spikes
Confidence: Medium (0.4-0.6)

T1055.012 - Process Hollowing

Detection: Comprehensive hollowing detection (hollowing.rs)
Indicators:
- Unmapped main executable image
- Suspicious memory gaps (>16MB)
- PE header mismatches
- Unusual entry point locations
- Memory layout anomalies
Confidence: Very High (0.8-1.0)

Defense Evasion (TA0005)

T1027 - Obfuscated Files or Information

Detection: Entropy analysis in shellcode detector
Indicators:
- High entropy regions (>7.0 Shannon entropy)
- Encrypted/packed code patterns
Confidence: Medium (0.6-0.8)

T1055 - Process Injection (General)

Detection: Multi-layered approach across all modules
Indicators: Combination of all injection-specific indicators
Confidence: Varies by technique

T1036 - Masquerading

Detection: Process metadata analysis
Indicators:
- Process name/path mismatches
- Suspicious parent-child relationships
Confidence: Low-Medium (0.3-0.6)

Execution (TA0002)

T1106 - Native API

Detection: Memory pattern analysis, syscall indicators
Indicators:
- Direct syscall usage patterns
- Unusual API call sequences
Confidence: Medium (0.5-0.7)

T1055 - Process Injection

Detection: Primary focus of Ghost detection engine
Coverage: Comprehensive across all sub-techniques

Detection Methodology

Heuristic Analysis

Memory Layout Analysis
- RWX region detection
- Memory gap analysis
- Region size anomalies
Behavioral Patterns
- Thread creation patterns
- Hook installation monitoring
- Process lifecycle anomalies
Signature Matching
- Known shellcode patterns
- Malware family signatures
- API usage fingerprints

Confidence Scoring

0.9-1.0: Very High - Multiple strong indicators
0.7-0.8: High - Clear malicious patterns
0.5-0.6: Medium - Suspicious but may be legitimate
0.3-0.4: Low - Anomalous but likely false positive
0.0-0.2: Very Low - Minimal suspicious activity

Coverage Matrix

Technique	Detection Module	Implementation Status	Test Coverage
T1055.001	hooks.rs	✅ Complete	✅ Tested
T1055.002	shellcode.rs	✅ Complete	✅ Tested
T1055.003	thread.rs	✅ Complete	✅ Tested
T1055.004	detection.rs	⚠️ Partial	✅ Tested
T1055.012	hollowing.rs	✅ Complete	✅ Tested
T1027	shellcode.rs	✅ Complete	✅ Tested
T1036	process.rs	⚠️ Partial	❌ Pending
T1106	detection.rs	⚠️ Basic	❌ Pending

Future Enhancements

High Priority

T1055.008 - Ptrace System Calls (Linux)
T1055.009 - Proc Memory (Linux)
T1055.013 - Process Doppelgänging
T1055.014 - VDSO Hijacking (Linux)

Medium Priority

T1134 - Access Token Manipulation
T1548.002 - Bypass User Account Control
T1562.001 - Disable or Modify Tools

Research Areas

Machine learning-based anomaly detection
Graph analysis of process relationships
Timeline analysis for attack progression
Integration with threat intelligence feeds

References

Coverage updated: November 2024
Next review: December 2024