forensic_catalog/
processes.rs

1/// Legitimate Windows process names commonly masqueraded by attackers.
2pub const WINDOWS_MASQUERADE_TARGETS: &[&str] = &[
3    "svchost.exe",
4    "lsass.exe",
5    "csrss.exe",
6    "spoolsv.exe",
7    "dllhost.exe",
8    "conhost.exe",
9    "wermgr.exe",
10    "services.exe",
11    "winlogon.exe",
12    "smss.exe",
13    "taskhost.exe",
14    "taskhostw.exe",
15    "explorer.exe",
16    "system",
17    "registry",
18];
19
20/// Well-known malware / offensive-tool process names.
21pub const KNOWN_MALWARE_PROCESS_NAMES: &[&str] = &[
22    "xmrig",
23    "mimikatz",
24    "meterpreter",
25    "beacon",
26    "empire",
27    "cobaltstrike",
28    "ngrok",
29    "frp",
30    "chisel",
31    "ligolo",
32    "sliver",
33    "havoc",
34    "brute",
35    "pwncat",
36    "reptile",
37    "diamorphine",
38];
39
40/// Returns `true` if `name` is a high-value masquerade target (case-insensitive).
41pub fn is_masquerade_target(name: &str) -> bool {
42    let lower = name.to_ascii_lowercase();
43    WINDOWS_MASQUERADE_TARGETS
44        .iter()
45        .any(|t| t.to_ascii_lowercase() == lower)
46}
47
48/// Returns `true` if `name` matches a known malware process name (case-insensitive).
49pub fn is_known_malware_process(name: &str) -> bool {
50    let lower = name.to_ascii_lowercase();
51    KNOWN_MALWARE_PROCESS_NAMES
52        .iter()
53        .any(|t| t.to_ascii_lowercase() == lower)
54}
55
56#[cfg(test)]
57mod tests {
58    use super::*;
59
60    // --- constant membership ---
61    #[test]
62    fn masquerade_targets_contains_svchost() {
63        assert!(WINDOWS_MASQUERADE_TARGETS.contains(&"svchost.exe"));
64    }
65
66    #[test]
67    fn masquerade_targets_contains_lsass() {
68        assert!(WINDOWS_MASQUERADE_TARGETS.contains(&"lsass.exe"));
69    }
70
71    #[test]
72    fn malware_names_contains_mimikatz() {
73        assert!(KNOWN_MALWARE_PROCESS_NAMES.contains(&"mimikatz"));
74    }
75
76    #[test]
77    fn malware_names_contains_xmrig() {
78        assert!(KNOWN_MALWARE_PROCESS_NAMES.contains(&"xmrig"));
79    }
80
81    // --- is_masquerade_target ---
82    #[test]
83    fn detects_svchost_lowercase() {
84        assert!(is_masquerade_target("svchost.exe"));
85    }
86
87    #[test]
88    fn detects_lsass_uppercase() {
89        assert!(is_masquerade_target("LSASS.EXE"));
90    }
91
92    #[test]
93    fn detects_explorer_mixed_case() {
94        assert!(is_masquerade_target("Explorer.exe"));
95    }
96
97    #[test]
98    fn does_not_flag_random_process() {
99        assert!(!is_masquerade_target("mygame.exe"));
100    }
101
102    // Edge: empty
103    #[test]
104    fn empty_string_not_masquerade_target() {
105        assert!(!is_masquerade_target(""));
106    }
107
108    // --- is_known_malware_process ---
109    #[test]
110    fn detects_mimikatz() {
111        assert!(is_known_malware_process("mimikatz"));
112    }
113
114    #[test]
115    fn detects_meterpreter_uppercase() {
116        assert!(is_known_malware_process("METERPRETER"));
117    }
118
119    #[test]
120    fn detects_beacon() {
121        assert!(is_known_malware_process("beacon"));
122    }
123
124    #[test]
125    fn does_not_flag_chrome() {
126        assert!(!is_known_malware_process("chrome"));
127    }
128
129    // Edge: empty
130    #[test]
131    fn empty_string_not_malware_process() {
132        assert!(!is_known_malware_process(""));
133    }
134}
forensic_catalog/processes.rs

forensic_catalog/
processes.rs
