Welcome to ATLAS’s documentation!

According to Merriam-Webster:

atlas noun

at·las | at-ləs

1. capitalized : a Titan who for his part in the Titans’ revolt against the gods is forced by Zeus to support the heavens on his shoulders

3. a : a bound collection of maps often including illustrations, informative tables, or textual matter

—

ATLAS is an analysis description of malware or kill-chain. Malware is a combination of techniques crafted for a purpose. With an ATLAS rule, these techniques and capabilities are like LEGO pieces. In this way, it tries to help malware researchers to focus single piece at a time and nothing more. ATLAS interpretation of the rule does the rest. It also removes the language boundaries. Different pieces can be written in other script languages.

If these techniques are transformed into LEGO pieces properly, it eventually creates a memory. Then, the total time to write an ATLAS rule will decrease.

meta:
name: "rtf_template_injection"
description: "A rule to extracts rtf template injection"
reference: "https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread"
version: "1.0"

scripts:
# import re
# import base64

# def run(data: bytes) -> str:
#     result = ''

#     encoded_template_pattr = "XHtcXFwqXFx0ZW1wbGF0ZVxzKyguKylccypcfQ=="
#     result = re.search(base64.b64decode(encoded_template_pattr), data).group(1).decode()

#     return result
s1: "aW1wb3J0IHJlCmltcG9ydCBiYXNlNjQKIApkZWYgcnVuKGRhdGE6IGJ5dGVzKSAtPiBzdHI6CiAgICByZXN1bHQgPSAnJwoKICAgIGVuY29kZWRfdGVtcGxhdGVfcGF0dHIgPSAiWEh0Y1hGd3FYRngwWlcxd2JHRjBaVnh6S3lndUt5bGNjeXBjZlE9PSIKICAgIHJlc3VsdCA9IHJlLnNlYXJjaChiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZWRfdGVtcGxhdGVfcGF0dHIpLCBkYXRhKS5ncm91cCgxKS5kZWNvZGUoKQoKICAgIHJldHVybiByZXN1bHQ="

chain:
file_read:
   input: $param.file
   func: file_read_bin

template_extract:
   input:
      - $scripts.s1
      - $file_read
   func: python_executor

download:
   input: $template_extract
   func: download_from_remote_server

save_template:
   input:
      - $download
      - "template_"
   func: save_file_bytes

When the above rule is processed by ATLAS:

• It reads the file according to command-line argument,

• Then runs the python script that is defined in scripts section,

• Tries to downloads the template from the matched pattern,

• And saves the downloaded data to the disk.

Note

This project is under active development.

Contents

• Installation
  • Test Run
• Rule
• scripts
  • Key-Value
  • Python’s execution
  • Null Bytes
  • Powershell’s Execution
• chain
  • Sub-chain
  • input
  • func
  • expect
• modules
• meta
• Core Library
  • reverse()
  • download_from_remote_server()
  • powershell_executor()
  • file_read_bin()
  • file_read_utf8()
  • save_file_bytes()
  • save_file_arr()
  • python_executor()
  • printer()
  • hello_world()
  • bytes_to_str_utf8()
  • get_sha256()
• Expect Library
  • is_not_none()
  • is_not_empty_list()
  • is_not_empty_dict()
  • is_not_empty_str()
  • is_pe()