Welcome to ATLAS's documentation!
===================================

According to `Merriam-Webster <https://www.merriam-webster.com/dictionary/atlas>`_:
   **atlas** noun

   at\·las | at-ləs
   
   **1. capitalized :** a Titan who for his part in the Titans' revolt against the gods is forced by Zeus to support the heavens on his shoulders

   **3. a :** a bound collection of maps often including illustrations, informative tables, or textual matter

---

**ATLAS** is an analysis description of malware or kill-chain. Malware is a combination of techniques crafted for a purpose. With an ATLAS rule, these techniques and capabilities are like LEGO pieces. In this way, it tries to help malware researchers to focus single piece at a time and nothing more. ATLAS interpretation of the rule does the rest. It also removes the language boundaries. Different pieces can be written in other script languages.

If these techniques are transformed into LEGO pieces properly, it eventually creates a memory. Then, the total time to write an ATLAS rule will decrease.

.. code-block:: yaml

   meta:
      name: "rtf_template_injection"
      description: "A rule to extracts rtf template injection"
      reference: "https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread"
      version: "1.0"

   scripts:
      # import re
      # import base64
      
      # def run(data: bytes) -> str:
      #     result = ''

      #     encoded_template_pattr = "XHtcXFwqXFx0ZW1wbGF0ZVxzKyguKylccypcfQ=="
      #     result = re.search(base64.b64decode(encoded_template_pattr), data).group(1).decode()

      #     return result
      s1: "aW1wb3J0IHJlCmltcG9ydCBiYXNlNjQKIApkZWYgcnVuKGRhdGE6IGJ5dGVzKSAtPiBzdHI6CiAgICByZXN1bHQgPSAnJwoKICAgIGVuY29kZWRfdGVtcGxhdGVfcGF0dHIgPSAiWEh0Y1hGd3FYRngwWlcxd2JHRjBaVnh6S3lndUt5bGNjeXBjZlE9PSIKICAgIHJlc3VsdCA9IHJlLnNlYXJjaChiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZWRfdGVtcGxhdGVfcGF0dHIpLCBkYXRhKS5ncm91cCgxKS5kZWNvZGUoKQoKICAgIHJldHVybiByZXN1bHQ="

   chain:
      file_read:
         input: $param.file
         func: file_read_bin

   template_extract:
      input: 
         - $scripts.s1
         - $file_read
      func: python_executor

   stdout_inject:
      input: $template_extract
      func: printer

When the above rule is processed by ATLAS:

* It reads the file according to command-line argument,
* Then runs the python script that is defined in **scripts** section,
* And prints if there is any matched patter.

.. note::

   This project is under active development.

Contents
--------

.. toctree::
   :maxdepth: 3

   installation
   rule
   scripts
   chain
   modules
   meta
   core
   expect
