Welcome to ATLAS’s documentation!

According to Merriam-Webster:

atlas noun

at·las | at-ləs

1. capitalized : a Titan who for his part in the Titans’ revolt against the gods is forced by Zeus to support the heavens on his shoulders

3. a : a bound collection of maps often including illustrations, informative tables, or textual matter

ATLAS is an analysis description of malware or kill-chain. Malware is a combination of techniques crafted for a purpose. With an ATLAS rule, these techniques and capabilities are like LEGO pieces. In this way, it tries to help malware researchers to focus single piece at a time and nothing more. ATLAS interpretation of the rule does the rest. It also removes the language boundaries. Different pieces can be written in other script languages.

If these techniques are transformed into LEGO pieces properly, it eventually creates a memory. Then, the total time to write an ATLAS rule will decrease.

name: "rtf_template_injection"
description: "A rule to extracts rtf template injection"
reference: "https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread"
version: "1.0"

# import re
# import base64

# def run(data: bytes) -> str:
#     result = ''

#     encoded_template_pattr = "XHtcXFwqXFx0ZW1wbGF0ZVxzKyguKylccypcfQ=="
#     result = re.search(base64.b64decode(encoded_template_pattr), data).group(1).decode()

#     return result

   input: $param.file
   func: file_read_bin

      - $scripts.s1
      - $file_read
   func: python_executor

   input: $template_extract
   func: download_from_remote_server

      - $download
      - "template_"
   func: save_file_bytes

When the above rule is processed by ATLAS:

  • It reads the file according to command-line argument,

  • Then runs the python script that is defined in scripts section,

  • Tries to downloads the template from the matched pattern,

  • And saves the downloaded data to the disk.


This project is under active development.