Implement initial detection and data structures for suspicious artifacts

internal/pkg/hunt/detect/processes/processes.go

@@ -0,0 +1,75 @@
+package processes
+
+import (
+	"fmt"
+	"rmm-hunter/internal/pkg/hunt/detect/common"
+	. "rmm-hunter/internal/suspicious"
+	"strings"
+
+	"github.com/Kraken-OffSec/Scurvy/core/process"
+)
+
+func Detect() []Process {
+	fmt.Printf("[*] Enumerating Processes \n")
+
+	processes, err := process.Processes()
+	if err != nil {
+		fmt.Printf("[-] Error enumerating processes: %s\n", err.Error())
+		return []Process{}
+	}
+
+	fmt.Printf("   [>] Dispositioning %d Processes\n", len(processes))
+
+	return compareProcesses(processes)
+}
+
+func compareProcesses(processes []process.Process) []Process {
+	var suspiciousProcesses []Process
+
+	for _, proc := range processes {
+		procName := proc.Executable()
+		procNameLower := strings.ToLower(procName)
+
+		// Get full executable path if available
+		var fullPath string
+		if proc.Path() != "" {
+			fullPath = proc.Path()
+		}
+
+		// Check against known RMMs
+		isRMMMatch := false
+		for _, rmm := range common.CommonRMMs {
+			rmmLower := strings.ToLower(rmm)
+			if strings.Contains(procNameLower, rmmLower) {
+				isRMMMatch = true
+				break
+			}
+		}
+
+		// Check for suspicious path
+		isPathSuspicious := false
+		pathReason := ""
+		if fullPath != "" {
+			isPathSuspicious, pathReason = common.AnalyzeExecutablePath(fullPath)
+		}
+
+		if isRMMMatch || isPathSuspicious {
+			args := ""
+			if isPathSuspicious {
+				args = fmt.Sprintf("[%s]", pathReason)
+			}
+
+			fmt.Printf("      [?] Found %s\n", procName)
+			suspiciousProcesses = append(suspiciousProcesses, Process{
+				Name: procName,
+				PID:  proc.Pid(),
+				PPID: proc.PPid(),
+				Path: fullPath,
+				Args: args,
+			})
+		}
+	}
+
+	fmt.Printf("[+] Found %d Suspicious Processes\n", len(suspiciousProcesses))
+	return suspiciousProcesses
+}