admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
96b0d12099969c5f6ed9c827b4ea8a7c8a11fb92
ghost/docs/MITRE_ATTACK_COVERAGE.md
Adir Shitrit a90a6d8091 expand MITRE ATT&CK technique coverage mapping
2025-11-08 11:49:27 +02:00

165 lines
4.8 KiB
Markdown
Raw Blame History

# MITRE ATT&CK Detection Coverage
Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
## Process Injection (T1055)
### T1055.001 - Dynamic-link Library Injection
- **Detection**: Hook-based injection detection (`hooks.rs`)
- **Indicators**:
- SetWindowsHookEx API monitoring
- Suspicious DLL loading patterns
- Global hook chain analysis
- **Confidence**: High (0.8-0.9)
### T1055.002 - Portable Executable Injection
- **Detection**: Shellcode pattern detection (`shellcode.rs`)
- **Indicators**:
- PE headers in private memory regions
- Meterpreter payload signatures
- High entropy executable regions
- **Confidence**: High (0.7-0.9)
### T1055.003 - Thread Execution Hijacking
- **Detection**: Thread analysis (`thread.rs`, `detection.rs`)
- **Indicators**:
- Threads with unusual start addresses
- High ratio of recently created threads
- Thread count anomalies
- **Confidence**: Medium (0.5-0.7)
### T1055.004 - Asynchronous Procedure Call
- **Detection**: Memory pattern analysis
- **Indicators**:
- Suspicious memory layout changes
- RWX region proliferation
- Thread creation spikes
- **Confidence**: Medium (0.4-0.6)
### T1055.012 - Process Hollowing
- **Detection**: Comprehensive hollowing detection (`hollowing.rs`)
- **Indicators**:
- Unmapped main executable image
- Suspicious memory gaps (>16MB)
- PE header mismatches
- Unusual entry point locations
- Memory layout anomalies
- **Confidence**: Very High (0.8-1.0)
## Defense Evasion (TA0005)
### T1027 - Obfuscated Files or Information
- **Detection**: Entropy analysis in shellcode detector
- **Indicators**:
- High entropy regions (>7.0 Shannon entropy)
- Encrypted/packed code patterns
- **Confidence**: Medium (0.6-0.8)
### T1055 - Process Injection (General)
- **Detection**: Multi-layered approach across all modules
- **Indicators**: Combination of all injection-specific indicators
- **Confidence**: Varies by technique
### T1036 - Masquerading
- **Detection**: Process metadata analysis
- **Indicators**:
- Process name/path mismatches
- Suspicious parent-child relationships
- **Confidence**: Low-Medium (0.3-0.6)
## Execution (TA0002)
### T1106 - Native API
- **Detection**: Memory pattern analysis, syscall indicators
- **Indicators**:
- Direct syscall usage patterns
- Unusual API call sequences
- **Confidence**: Medium (0.5-0.7)
### T1055 - Process Injection
- **Detection**: Primary focus of Ghost detection engine
- **Coverage**: Comprehensive across all sub-techniques
## Detection Methodology
### Heuristic Analysis
1. **Memory Layout Analysis**
- RWX region detection
- Memory gap analysis
- Region size anomalies
2. **Behavioral Patterns**
- Thread creation patterns
- Hook installation monitoring
- Process lifecycle anomalies
3. **Signature Matching**
- Known shellcode patterns
- Malware family signatures
- API usage fingerprints
### Confidence Scoring
- **0.9-1.0**: Very High - Multiple strong indicators
- **0.7-0.8**: High - Clear malicious patterns
- **0.5-0.6**: Medium - Suspicious but may be legitimate
- **0.3-0.4**: Low - Anomalous but likely false positive
- **0.0-0.2**: Very Low - Minimal suspicious activity
## Coverage Matrix
| Technique | Detection Module | Implementation Status | Test Coverage |
|-----------|------------------|----------------------|---------------|
| T1055.001 | hooks.rs | ✅ Complete | ✅ Tested |
| T1055.002 | shellcode.rs | ✅ Complete | ✅ Tested |
| T1055.003 | thread.rs | ✅ Complete | ✅ Tested |
| T1055.004 | detection.rs | ⚠️ Partial | ✅ Tested |
| T1055.012 | hollowing.rs | ✅ Complete | ✅ Tested |
| T1027 | shellcode.rs | ✅ Complete | ✅ Tested |
| T1036 | process.rs | ⚠️ Partial | ❌ Pending |
| T1106 | detection.rs | ⚠️ Basic | ❌ Pending |
## Future Enhancements
### High Priority
- **T1055.008** - Ptrace System Calls (Linux)
- **T1055.009** - Proc Memory (Linux)
- **T1055.013** - Process Doppelgänging
- **T1055.014** - VDSO Hijacking (Linux)
### Medium Priority
- **T1134** - Access Token Manipulation
- **T1548.002** - Bypass User Account Control
- **T1562.001** - Disable or Modify Tools
### Research Areas
- Machine learning-based anomaly detection
- Graph analysis of process relationships
- Timeline analysis for attack progression
- Integration with threat intelligence feeds
## References
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [Process Injection Techniques](https://attack.mitre.org/techniques/T1055/)
- [Windows Process Injection Research](https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process)
- [Linux Process Injection](https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md)
---
*Coverage updated: November 2024*
*Next review: December 2024*
Reference in New Issue View Git Blame Copy Permalink