def get_methodology_content(): """ Returns the content for the Methodology page. """ return [ { "title": "Baseline", "description": "Baseline configurations here.", "link": "https://docs.google.com/spreadsheets/d/1s2ggAq69Z5UcZen1Q-o8gBHBv6UiJHaeFW3QwtTLnq4/edit?usp=sharing" }, { "title": "MITRE TIE", "description": "The Technique Inference Engine (TIE) suggests techniques an adversary is likely to have used based on a set of observed techniques.", "link": "https://center-for-threat-informed-defense.github.io/technique-inference-engine/#/" }, { "title": "Linux Basics", "content": """ - Understand typical file paths and permission settings. - Monitor unexpected or unplanned cron jobs. - Investigate binaries with SUID or SGID bits set (`find / -perm -4000`). - Look for rogue or uncommon processes running as root. - Analyze .bash_history for suspicious commands. - Investigate `/var/log/auth.log` for failed or unauthorized access. - Check for hidden files and directories using `find / -type f -name ".*"`. """, "resources": [ {"name": "Linux.org", "url": "https://www.linux.org/"}, {"name": "Cyberciti.biz", "url": "https://www.cyberciti.biz/"} ] }, { "title": "Windows Basics", "content": """ - Look for file extensions. - Initial access and lateral movement are the loudest. - Understand how PID and PPID relate. - Look for 1-2 character .exe (e.g., a.exe, ab.exe). - C2 exploits are native in 32-bit. - Files should not have read, write, and execute simultaneously - Should be RW- ro --X. - Know where attackers store files. - C:\\windows\\system32: Exe files are not usually stored here. """, "resources": [ {"name": "Microsoft Security", "url": "https://www.microsoft.com/en-us/security"}, {"name": "MITRE ATT&CK", "url": "https://attack.mitre.org/"} ] } ]