From cbbd68fa55cbc299baa2618b581f00171f0c016d Mon Sep 17 00:00:00 2001 From: Adir Shitrit Date: Sat, 8 Nov 2025 11:19:11 +0200 Subject: [PATCH] docs: add comprehensive MITRE ATT&CK technique mapping --- docs/MITRE_ATTACK_COVERAGE.md | 150 ++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 docs/MITRE_ATTACK_COVERAGE.md diff --git a/docs/MITRE_ATTACK_COVERAGE.md b/docs/MITRE_ATTACK_COVERAGE.md new file mode 100644 index 0000000..cd26d00 --- /dev/null +++ b/docs/MITRE_ATTACK_COVERAGE.md @@ -0,0 +1,150 @@ +# MITRE ATT&CK Detection Coverage + +Ghost detection engine coverage mapped to MITRE ATT&CK framework techniques. + +## Process Injection (T1055) + +### T1055.001 - Dynamic-link Library Injection +- **Detection**: Hook-based injection detection (`hooks.rs`) +- **Indicators**: + - SetWindowsHookEx API monitoring + - Suspicious DLL loading patterns + - Global hook chain analysis +- **Confidence**: High (0.8-0.9) + +### T1055.002 - Portable Executable Injection +- **Detection**: Shellcode pattern detection (`shellcode.rs`) +- **Indicators**: + - PE headers in private memory regions + - Meterpreter payload signatures + - High entropy executable regions +- **Confidence**: High (0.7-0.9) + +### T1055.003 - Thread Execution Hijacking +- **Detection**: Thread analysis (`thread.rs`, `detection.rs`) +- **Indicators**: + - Threads with unusual start addresses + - High ratio of recently created threads + - Thread count anomalies +- **Confidence**: Medium (0.5-0.7) + +### T1055.004 - Asynchronous Procedure Call +- **Detection**: Memory pattern analysis +- **Indicators**: + - Suspicious memory layout changes + - RWX region proliferation + - Thread creation spikes +- **Confidence**: Medium (0.4-0.6) + +### T1055.012 - Process Hollowing +- **Detection**: Comprehensive hollowing detection (`hollowing.rs`) +- **Indicators**: + - Unmapped main executable image + - Suspicious memory gaps (>16MB) + - PE header mismatches + - Unusual entry point locations + - Memory layout anomalies +- **Confidence**: Very High (0.8-1.0) + +## Defense Evasion (TA0005) + +### T1027 - Obfuscated Files or Information +- **Detection**: Entropy analysis in shellcode detector +- **Indicators**: + - High entropy regions (>7.0 Shannon entropy) + - Encrypted/packed code patterns +- **Confidence**: Medium (0.6-0.8) + +### T1055 - Process Injection (General) +- **Detection**: Multi-layered approach across all modules +- **Indicators**: Combination of all injection-specific indicators +- **Confidence**: Varies by technique + +### T1036 - Masquerading +- **Detection**: Process metadata analysis +- **Indicators**: + - Process name/path mismatches + - Suspicious parent-child relationships +- **Confidence**: Low-Medium (0.3-0.6) + +## Execution (TA0002) + +### T1106 - Native API +- **Detection**: Memory pattern analysis, syscall indicators +- **Indicators**: + - Direct syscall usage patterns + - Unusual API call sequences +- **Confidence**: Medium (0.5-0.7) + +### T1055 - Process Injection +- **Detection**: Primary focus of Ghost detection engine +- **Coverage**: Comprehensive across all sub-techniques + +## Detection Methodology + +### Heuristic Analysis +1. **Memory Layout Analysis** + - RWX region detection + - Memory gap analysis + - Region size anomalies + +2. **Behavioral Patterns** + - Thread creation patterns + - Hook installation monitoring + - Process lifecycle anomalies + +3. **Signature Matching** + - Known shellcode patterns + - Malware family signatures + - API usage fingerprints + +### Confidence Scoring +- **0.9-1.0**: Very High - Multiple strong indicators +- **0.7-0.8**: High - Clear malicious patterns +- **0.5-0.6**: Medium - Suspicious but may be legitimate +- **0.3-0.4**: Low - Anomalous but likely false positive +- **0.0-0.2**: Very Low - Minimal suspicious activity + +## Coverage Matrix + +| Technique | Detection Module | Implementation Status | Test Coverage | +|-----------|------------------|----------------------|---------------| +| T1055.001 | hooks.rs | ✅ Complete | ✅ Tested | +| T1055.002 | shellcode.rs | ✅ Complete | ✅ Tested | +| T1055.003 | thread.rs | ✅ Complete | ✅ Tested | +| T1055.004 | detection.rs | ⚠️ Partial | ✅ Tested | +| T1055.012 | hollowing.rs | ✅ Complete | ✅ Tested | +| T1027 | shellcode.rs | ✅ Complete | ✅ Tested | +| T1036 | process.rs | ⚠️ Partial | ❌ Pending | +| T1106 | detection.rs | ⚠️ Basic | ❌ Pending | + +## Future Enhancements + +### High Priority +- **T1055.008** - Ptrace System Calls (Linux) +- **T1055.009** - Proc Memory (Linux) +- **T1055.013** - Process Doppelgänging +- **T1055.014** - VDSO Hijacking (Linux) + +### Medium Priority +- **T1134** - Access Token Manipulation +- **T1548.002** - Bypass User Account Control +- **T1562.001** - Disable or Modify Tools + +### Research Areas +- Machine learning-based anomaly detection +- Graph analysis of process relationships +- Timeline analysis for attack progression +- Integration with threat intelligence feeds + +## References + +- [MITRE ATT&CK Framework](https://attack.mitre.org/) +- [Process Injection Techniques](https://attack.mitre.org/techniques/T1055/) +- [Windows Process Injection Research](https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process) +- [Linux Process Injection](https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md) + +--- + +*Coverage updated: November 2024* +*Next review: December 2024* \ No newline at end of file