6.5 KiB
6.5 KiB
MITRE ATT&CK Detection Coverage
Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques.
Process Injection (T1055)
T1055.001 - Dynamic-link Library Injection
- Detection: Hook-based injection detection (
hooks.rs) - Indicators:
- SetWindowsHookEx API monitoring
- Suspicious DLL loading patterns
- Global hook chain analysis
- Confidence: High (0.8-0.9)
T1055.002 - Portable Executable Injection
- Detection: Shellcode pattern detection (
shellcode.rs) - Indicators:
- PE headers in private memory regions
- Meterpreter payload signatures
- High entropy executable regions
- Confidence: High (0.7-0.9)
T1055.003 - Thread Execution Hijacking
- Detection: Thread analysis (
thread.rs,detection.rs) - Indicators:
- Threads with unusual start addresses
- High ratio of recently created threads
- Thread count anomalies
- Confidence: Medium (0.5-0.7)
T1055.004 - Asynchronous Procedure Call
- Detection: Memory pattern analysis
- Indicators:
- Suspicious memory layout changes
- RWX region proliferation
- Thread creation spikes
- Confidence: Medium (0.4-0.6)
T1055.012 - Process Hollowing
- Detection: Comprehensive hollowing detection (
hollowing.rs) - Indicators:
- Unmapped main executable image
- Suspicious memory gaps (>16MB)
- PE header validation (DOS/NT signatures)
- Image base mismatches
- Corrupted PE structures
- Unusual entry point locations
- Memory layout anomalies
- Confidence: Very High (0.8-1.0)
Defense Evasion (TA0005)
T1027 - Obfuscated Files or Information
- Detection: Entropy analysis in shellcode detector
- Indicators:
- High entropy regions (>7.0 Shannon entropy)
- Encrypted/packed code patterns
- Confidence: Medium (0.6-0.8)
T1055 - Process Injection (General)
- Detection: Multi-layered approach across all modules
- Indicators: Combination of all injection-specific indicators
- Confidence: Varies by technique
T1036 - Masquerading
- Detection: Process metadata analysis
- Indicators:
- Process name/path mismatches
- Suspicious parent-child relationships
- Confidence: Low-Medium (0.3-0.6)
Execution (TA0002)
T1106 - Native API
- Detection: Memory pattern analysis, syscall indicators
- Indicators:
- Direct syscall usage patterns
- Unusual API call sequences
- Confidence: Medium (0.5-0.7)
T1055 - Process Injection
- Detection: Primary focus of Ghost detection engine
- Coverage: Comprehensive across all sub-techniques
Detection Methodology
Heuristic Analysis
-
Memory Layout Analysis
- RWX region detection
- Memory gap analysis
- Region size anomalies
-
Behavioral Patterns
- Thread creation patterns
- Hook installation monitoring
- Process lifecycle anomalies
-
Signature Matching
- Known shellcode patterns
- Malware family signatures
- API usage fingerprints
Confidence Scoring
- 0.9-1.0: Very High - Multiple strong indicators
- 0.7-0.8: High - Clear malicious patterns
- 0.5-0.6: Medium - Suspicious but may be legitimate
- 0.3-0.4: Low - Anomalous but likely false positive
- 0.0-0.2: Very Low - Minimal suspicious activity
Coverage Matrix
| Technique | Detection Module | Implementation Status | Test Coverage |
|---|---|---|---|
| T1055.001 | hooks.rs | ✅ Inline hooks + Linux LD_PRELOAD | ❌ Basic |
| T1055.002 | shellcode.rs | ⚠️ Heuristic only | ✅ Basic |
| T1055.003 | thread.rs | ✅ Thread enumeration | ✅ Unit tests |
| T1055.004 | detection.rs | ⚠️ Heuristic only | ✅ Basic |
| T1055.012 | hollowing.rs | ✅ PE header validation | ❌ Pending |
| T1027 | shellcode.rs | ⚠️ Basic patterns | ❌ Pending |
| T1036 | process.rs | ❌ Not implemented | ❌ Pending |
| T1106 | detection.rs | ❌ Not implemented | ❌ Pending |
Implementation Status Legend:
- ✅ Complete: Full implementation with actual API calls
- ⚠️ Partial: Heuristic-based or incomplete implementation
- ❌ Not implemented: Placeholder or missing
Current Implementation Details
What's Actually Implemented
-
Memory Analysis (memory.rs)
- Windows: VirtualQueryEx, ReadProcessMemory
- Linux: /proc/[pid]/maps parsing, /proc/[pid]/mem reading
- macOS: Not implemented
-
Thread Analysis (thread.rs)
- Windows: Thread32First/Next, NtQueryInformationThread, GetThreadTimes
- Linux: /proc/[pid]/task enumeration, stat parsing
- macOS: Not implemented
-
Hook Detection (hooks.rs)
- Windows: Inline hook detection via JMP pattern scanning
- Linux: LD_PRELOAD detection, LD_LIBRARY_PATH monitoring, ptrace detection
- Detects suspicious library loading from /tmp/, /dev/shm/, etc.
- Does NOT enumerate SetWindowsHookEx chains on Windows
- No IAT/EAT hook scanning (pattern detection only)
-
Process Hollowing Detection (hollowing.rs)
- Windows: Full PE header validation (DOS/NT signatures, image base)
- Detects corrupted PE structures
- Detects image base mismatches
- Memory layout anomaly detection
- Memory gap analysis
-
Process Enumeration (process.rs)
- Windows: CreateToolhelp32Snapshot
- Linux: /proc filesystem
- macOS: sysctl KERN_PROC_ALL
What's NOT Implemented
- Actual shellcode signature database
- Entropy analysis for obfuscation detection
- SetWindowsHookEx chain parsing (Windows)
- APC injection detection
- MITRE ATT&CK technique attribution (framework only)
- process_vm_writev monitoring (Linux)
Future Enhancements
High Priority
- T1055.008 - Ptrace System Calls (Linux) - ✅ Basic detection implemented
- T1055.013 - Process Doppelgänging
- T1055.014 - VDSO Hijacking (Linux)
- Shellcode signature database
Medium Priority
- T1134 - Access Token Manipulation
- SetWindowsHookEx chain enumeration
- IAT/EAT hook scanning
- LD_PRELOAD detection (Linux) - ✅ Implemented
Research Areas
- Behavioral analysis over time
- Process relationship analysis
- Integration with threat intelligence feeds
References
- MITRE ATT&CK Framework
- Process Injection Techniques
- Windows Process Injection Research
- Linux Process Injection
Coverage updated: November 2024
Next review: December 2024