diff --git a/Modules/methodology.py b/Modules/methodology.py index befe3e1..d2bcddb 100644 --- a/Modules/methodology.py +++ b/Modules/methodology.py @@ -1,19 +1,19 @@ def get_methodology_content(): """ - Returns the content for the Methodology page. + Returns structured content for the Methodology page with sections containing resources. """ return [ - { - "title": "Baseline", - "description": "Baseline configurations here.", - "link": "https://docs.google.com/spreadsheets/d/1s2ggAq69Z5UcZen1Q-o8gBHBv6UiJHaeFW3QwtTLnq4/edit?usp=sharing" - }, - { - "title": "MITRE TIE", - "description": "The Technique Inference Engine (TIE) suggests techniques an adversary is likely to have used based on a set of observed techniques.", - "link": "https://center-for-threat-informed-defense.github.io/technique-inference-engine/#/" - }, - { + { + "title": "Baseline", + "description": "Baseline configurations here.", + "link": "https://docs.google.com/spreadsheets/d/1s2ggAq69Z5UcZen1Q-o8gBHBv6UiJHaeFW3QwtTLnq4/edit?usp=sharing", + }, + { + "title": "MITRE TIE", + "description": "The Technique Inference Engine (TIE) suggests techniques an adversary is likely to have used based on a set of observed techniques.", + "link": "https://center-for-threat-informed-defense.github.io/technique-inference-engine/#/", + }, + { "title": "Linux Basics", "content": """ - Understand typical file paths and permission settings. @@ -25,8 +25,9 @@ def get_methodology_content(): - Check for hidden files and directories using `find / -type f -name ".*"`. """, "resources": [ - {"name": "Linux.org", "url": "https://www.linux.org/"}, - {"name": "Cyberciti.biz", "url": "https://www.cyberciti.biz/"} + "https://www.linux.org/", + "https://www.cyberciti.biz/", + "https://www.linuxsecurity.com/" ] }, { @@ -43,8 +44,74 @@ def get_methodology_content(): - C:\\windows\\system32: Exe files are not usually stored here. """, "resources": [ - {"name": "Microsoft Security", "url": "https://www.microsoft.com/en-us/security"}, - {"name": "MITRE ATT&CK", "url": "https://attack.mitre.org/"} + "https://www.microsoft.com/en-us/security", + "https://attack.mitre.org/", + "https://learn.microsoft.com/en-us/sysinternals/" + ] + }, + { + "title": "Time of Incident", + "content": """ +- SIEM/IDS/AV alert +- 3rd Party Notification + """, + "resources": [ + "https://www.splunk.com/", + "https://owasp.org/www-project-intrusion-detection-systems/" + ] + }, + { + "title": "Network Activity", + "content": """ +- Malicious URLs accessed +- DNS requests for bad domains + """, + "resources": [ + "https://www.virustotal.com/gui/home/url", + "https://www.cloudflare.com/dns/" + ] + }, + { + "title": "Process Activity", + "content": """ +- Running process related to incident +- DLL injection detected + """, + "resources": [ + "https://processhacker.sourceforge.io/", + "https://www.sciencedirect.com/topics/computer-science/dll-injection" + ] + }, + { + "title": "Name of a File", + "content": """ +- File name of interest (e.g., p.exe, r1.exe) +- File type of interest (e.g., .rar, .py, .ps1) + """, + "resources": [ + "https://fileinfo.com/", + "https://www.hybrid-analysis.com/" + ] + }, + { + "title": "User Account Activity", + "content": """ +- Identify suspicious user account activity + """, + "resources": [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/", + "https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/" + ] + }, + { + "title": "Other Activity", + "content": """ +- Lateral Movement (Event Logs + File Copy & Execution) +- Anti-Forensics (Wiper download, wiper execution) + """, + "resources": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://www.mandiant.com/resources/anti-forensic-tactics" ] } - ] \ No newline at end of file + ]