Name | malware-atlas JSON |
Version |
0.2.15
JSON |
| download |
home_page | |
Summary | ATLAS - Malware Analysis Description |
upload_time | 2023-06-09 10:58:49 |
maintainer | |
docs_url | None |
author | Mert Degirmenci |
requires_python | >=3.6 |
license | MIT License Copyright (c) 2022. The Authors. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
keywords |
atlas
malware
threat
|
VCS |
|
bugtrack_url |
|
requirements |
No requirements were recorded.
|
Travis-CI |
No Travis.
|
coveralls test coverage |
No coveralls.
|
# ATLAS
According to [Merriam-Webster](https://www.merriam-webster.com/dictionary/atlas):
>**atlas** noun </br>_at·las_ | _at-ləs_</br></br>**1. capitalized :** a Titan who for his part in the Titans' revolt against the gods is forced by Zeus to support the heavens on his shoulders</br>**3. a :** a bound collection of maps often including illustrations, informative tables, or textual matter
---
</br>
**ATLAS** is an analysis description of malware or kill-chain. Malware is a combination of techniques crafted for a purpose. With an ATLAS rule, these techniques and capabilities are like LEGO pieces. In this way, it tries to help malware researchers to focus single piece at a time and nothing more. ATLAS interpretation of the rule does the rest. It also removes the language boundaries. Different pieces can be written in other script languages.
If these techniques are transformed into LEGO pieces properly, it eventually creates a memory. Then, the total time to write an ATLAS rule will decrease.
``` yaml
meta:
name: "rtf_template_injection"
description: "A rule to extracts rtf template injection"
reference: "https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread"
version: "1.0"
scripts:
# import re
# import base64
# def run(data: bytes) -> str:
# result = ''
# encoded_template_pattr = "XHtcXFwqXFx0ZW1wbGF0ZVxzKyguKylccypcfQ=="
# result = re.search(base64.b64decode(encoded_template_pattr), data).group(1).decode()
# return result
s1: "aW1wb3J0IHJlCmltcG9ydCBiYXNlNjQKIApkZWYgcnVuKGRhdGE6IGJ5dGVzKSAtPiBzdHI6CiAgICByZXN1bHQgPSAnJwoKICAgIGVuY29kZWRfdGVtcGxhdGVfcGF0dHIgPSAiWEh0Y1hGd3FYRngwWlcxd2JHRjBaVnh6S3lndUt5bGNjeXBjZlE9PSIKICAgIHJlc3VsdCA9IHJlLnNlYXJjaChiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZWRfdGVtcGxhdGVfcGF0dHIpLCBkYXRhKS5ncm91cCgxKS5kZWNvZGUoKQoKICAgIHJldHVybiByZXN1bHQ="
chain:
file_read:
input: $param.file
func: file_read_bin
template_extract:
input:
- $scripts.s1
- $file_read
func: python_executor
download:
input: $template_extract
func: download_from_remote_server
save_template:
input:
- $download
- "template_"
func: save_file_bytes
```
When the above rule is processed by ATLAS:
* It reads the file according to command-line argument,
* Then runs the python script that is defined in **scripts** section,
* Tries to downloads the template from the matched pattern,
* And saves the downloaded data to the disk.
## Installation
Install using Python's PIP:
``` bash
pip install malware-atlas
```
Clone directly from Github:
``` bash
git clone https://github.com/malware-atlas/atlas
```
## Usage
The [HelloWorld](https://github.com/MALWARE-ATLAS/ATLAS/blob/master/HelloWorld.atl) rule can be used to test the installation.
To test it as a stand-alone tool:
``` bash
atlas -a HelloWorld.atl
```
Or it can be used as a package:
``` bash
>>> from atlas import atlas
>>> atl = atlas("HelloWorld.atl")
>>> atl.execute()
True
```
---
To discover the full potential of the ATLAS, you could check the documentation: https://malware-atlas.readthedocs.io/en/latest/
Raw data
{
"_id": null,
"home_page": "",
"name": "malware-atlas",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "",
"keywords": "atlas,malware,threat",
"author": "Mert Degirmenci",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/2a/48/c1b59262fc33a206a845511c5830f87c8047bf6651fe9a6b940bff1675df/malware_atlas-0.2.15.tar.gz",
"platform": null,
"description": "# ATLAS\n\nAccording to [Merriam-Webster](https://www.merriam-webster.com/dictionary/atlas):\n>**atlas** noun </br>_at\u00b7\u200blas_ | _at-l\u0259s_</br></br>**1. capitalized :** a Titan who for his part in the Titans' revolt against the gods is forced by Zeus to support the heavens on his shoulders</br>**3. a :** a bound collection of maps often including illustrations, informative tables, or textual matter\n\n---\n\n</br>\n\n**ATLAS** is an analysis description of malware or kill-chain. Malware is a combination of techniques crafted for a purpose. With an ATLAS rule, these techniques and capabilities are like LEGO pieces. In this way, it tries to help malware researchers to focus single piece at a time and nothing more. ATLAS interpretation of the rule does the rest. It also removes the language boundaries. Different pieces can be written in other script languages.\n\nIf these techniques are transformed into LEGO pieces properly, it eventually creates a memory. Then, the total time to write an ATLAS rule will decrease.\n\n``` yaml\nmeta:\n name: \"rtf_template_injection\"\n description: \"A rule to extracts rtf template injection\"\n reference: \"https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\"\n version: \"1.0\"\n\nscripts:\n # import re\n # import base64\n \n # def run(data: bytes) -> str:\n # result = ''\n\n # encoded_template_pattr = \"XHtcXFwqXFx0ZW1wbGF0ZVxzKyguKylccypcfQ==\"\n # result = re.search(base64.b64decode(encoded_template_pattr), data).group(1).decode()\n\n # return result\n s1: \"aW1wb3J0IHJlCmltcG9ydCBiYXNlNjQKIApkZWYgcnVuKGRhdGE6IGJ5dGVzKSAtPiBzdHI6CiAgICByZXN1bHQgPSAnJwoKICAgIGVuY29kZWRfdGVtcGxhdGVfcGF0dHIgPSAiWEh0Y1hGd3FYRngwWlcxd2JHRjBaVnh6S3lndUt5bGNjeXBjZlE9PSIKICAgIHJlc3VsdCA9IHJlLnNlYXJjaChiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZWRfdGVtcGxhdGVfcGF0dHIpLCBkYXRhKS5ncm91cCgxKS5kZWNvZGUoKQoKICAgIHJldHVybiByZXN1bHQ=\"\n\nchain:\n file_read:\n input: $param.file\n func: file_read_bin\n\n template_extract:\n input: \n - $scripts.s1\n - $file_read\n func: python_executor\n\n download:\n input: $template_extract\n func: download_from_remote_server\n\n save_template:\n input: \n - $download\n - \"template_\"\n func: save_file_bytes\n```\n\nWhen the above rule is processed by ATLAS:\n* It reads the file according to command-line argument,\n* Then runs the python script that is defined in **scripts** section,\n* Tries to downloads the template from the matched pattern,\n* And saves the downloaded data to the disk.\n\n\n## Installation\n\nInstall using Python's PIP:\n\n``` bash\npip install malware-atlas\n```\n\nClone directly from Github:\n\n``` bash\ngit clone https://github.com/malware-atlas/atlas\n```\n\n\n## Usage\n\nThe [HelloWorld](https://github.com/MALWARE-ATLAS/ATLAS/blob/master/HelloWorld.atl) rule can be used to test the installation.\n\nTo test it as a stand-alone tool:\n\n``` bash\natlas -a HelloWorld.atl\n```\n\nOr it can be used as a package:\n``` bash\n>>> from atlas import atlas\n>>> atl = atlas(\"HelloWorld.atl\")\n>>> atl.execute()\nTrue\n```\n\n\n---\n\nTo discover the full potential of the ATLAS, you could check the documentation: https://malware-atlas.readthedocs.io/en/latest/\n",
"bugtrack_url": null,
"license": "MIT License Copyright (c) 2022. The Authors. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.",
"summary": "ATLAS - Malware Analysis Description",
"version": "0.2.15",
"project_urls": {
"Homepage": "https://github.com/malware-atlas/atlas"
},
"split_keywords": [
"atlas",
"malware",
"threat"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "114f670ed916d0094ee18210764ff732a8cf534e4aeab5832d3572580cad73a7",
"md5": "8b2c0878175ca7596cac9e16e8ec1a31",
"sha256": "32bf25290ac449c19c1da129e3084ad2b82cdeaff1dea2589bf317558cd13b8e"
},
"downloads": -1,
"filename": "malware_atlas-0.2.15-py3-none-any.whl",
"has_sig": false,
"md5_digest": "8b2c0878175ca7596cac9e16e8ec1a31",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 16409,
"upload_time": "2023-06-09T10:58:48",
"upload_time_iso_8601": "2023-06-09T10:58:48.335729Z",
"url": "https://files.pythonhosted.org/packages/11/4f/670ed916d0094ee18210764ff732a8cf534e4aeab5832d3572580cad73a7/malware_atlas-0.2.15-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "2a48c1b59262fc33a206a845511c5830f87c8047bf6651fe9a6b940bff1675df",
"md5": "af645923f469def7933bfe8f2efeef6d",
"sha256": "f52adc498b6e481c091a037039e918617bbb6df2932be66f1c9bf1197cfa3dfa"
},
"downloads": -1,
"filename": "malware_atlas-0.2.15.tar.gz",
"has_sig": false,
"md5_digest": "af645923f469def7933bfe8f2efeef6d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 22975,
"upload_time": "2023-06-09T10:58:49",
"upload_time_iso_8601": "2023-06-09T10:58:49.776289Z",
"url": "https://files.pythonhosted.org/packages/2a/48/c1b59262fc33a206a845511c5830f87c8047bf6651fe9a6b940bff1675df/malware_atlas-0.2.15.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-06-09 10:58:49",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "malware-atlas",
"github_project": "atlas",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "malware-atlas"
}