118 lines
4.1 KiB
Python
118 lines
4.1 KiB
Python
def get_methodology_content():
|
|
"""
|
|
Returns structured content for the Methodology page with sections containing resources.
|
|
"""
|
|
return [
|
|
{
|
|
"title": "Baseline",
|
|
"description": "Baseline configurations here.",
|
|
"link": "https://docs.google.com/spreadsheets/d/1s2ggAq69Z5UcZen1Q-o8gBHBv6UiJHaeFW3QwtTLnq4/edit?usp=sharing",
|
|
},
|
|
{
|
|
"title": "MITRE TIE",
|
|
"description": "The Technique Inference Engine (TIE) suggests techniques an adversary is likely to have used based on a set of observed techniques.",
|
|
"link": "https://center-for-threat-informed-defense.github.io/technique-inference-engine/#/",
|
|
},
|
|
{
|
|
"title": "Linux Basics",
|
|
"content": """
|
|
- Understand typical file paths and permission settings.
|
|
- Monitor unexpected or unplanned cron jobs.
|
|
- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
|
|
- Look for rogue or uncommon processes running as root.
|
|
- Analyze .bash_history for suspicious commands.
|
|
- Investigate `/var/log/auth.log` for failed or unauthorized access.
|
|
- Check for hidden files and directories using `find / -type f -name ".*"`.
|
|
""",
|
|
"resources": [
|
|
"https://www.linux.org/",
|
|
"https://www.cyberciti.biz/",
|
|
"https://www.linuxsecurity.com/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Windows Basics",
|
|
"content": """
|
|
- Look for file extensions.
|
|
- Initial access and lateral movement are the loudest.
|
|
- Understand how PID and PPID relate.
|
|
- Look for 1-2 character .exe (e.g., a.exe, ab.exe).
|
|
- C2 exploits are native in 32-bit.
|
|
- Files should not have read, write, and execute simultaneously
|
|
- Should be RW- ro --X.
|
|
- Know where attackers store files.
|
|
- C:\\windows\\system32: Exe files are not usually stored here.
|
|
""",
|
|
"resources": [
|
|
"https://www.microsoft.com/en-us/security",
|
|
"https://attack.mitre.org/",
|
|
"https://learn.microsoft.com/en-us/sysinternals/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Time of Incident",
|
|
"content": """
|
|
- SIEM/IDS/AV alert
|
|
- 3rd Party Notification
|
|
""",
|
|
"resources": [
|
|
"https://www.splunk.com/",
|
|
"https://owasp.org/www-project-intrusion-detection-systems/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Network Activity",
|
|
"content": """
|
|
- Malicious URLs accessed
|
|
- DNS requests for bad domains
|
|
""",
|
|
"resources": [
|
|
"https://www.virustotal.com/gui/home/url",
|
|
"https://www.cloudflare.com/dns/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Process Activity",
|
|
"content": """
|
|
- Running process related to incident
|
|
- DLL injection detected
|
|
""",
|
|
"resources": [
|
|
"https://processhacker.sourceforge.io/",
|
|
"https://www.sciencedirect.com/topics/computer-science/dll-injection"
|
|
]
|
|
},
|
|
{
|
|
"title": "Name of a File",
|
|
"content": """
|
|
- File name of interest (e.g., p.exe, r1.exe)
|
|
- File type of interest (e.g., .rar, .py, .ps1)
|
|
""",
|
|
"resources": [
|
|
"https://fileinfo.com/",
|
|
"https://www.hybrid-analysis.com/"
|
|
]
|
|
},
|
|
{
|
|
"title": "User Account Activity",
|
|
"content": """
|
|
- Identify suspicious user account activity
|
|
""",
|
|
"resources": [
|
|
"https://docs.microsoft.com/en-us/windows/security/identity-protection/",
|
|
"https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Other Activity",
|
|
"content": """
|
|
- Lateral Movement (Event Logs + File Copy & Execution)
|
|
- Anti-Forensics (Wiper download, wiper execution)
|
|
""",
|
|
"resources": [
|
|
"https://attack.mitre.org/tactics/TA0008/",
|
|
"https://www.mandiant.com/resources/anti-forensic-tactics"
|
|
]
|
|
}
|
|
]
|