Introduction
During the development of the ATLAS, even though I believed it would be something, I didn't have any clue that proves this statement. I started to write as much as possible ATLAS rules afterward, and the experience has convinced me that ATLAS helps us to store and share malware analysis details in an actionable way.
If you're unsure, you can check my previous research.
But the experience also convinced me in another way; there was a problem. An ATLAS rule might contain scripts in a base64 encoded to ease storage and sharing. But this decision comes with a penalty; you must do base64 encode/decode plenty of times during development.
The most important feature of this extension is to auto-create and update scripts from the folder. Other than that, it has basic completion, hovers, and snippet.
Installation
The extension can be installed by VSCode Marketplace directly.
Features
Create and fill the scripts section
As the name suggests, with this command, it is possible to form the scripts section automatically.
- Creates scripts section if it doesn't exist,
- Lists all Python scripts reside in the same folder with the ATLAS rule,
- Creates new keys for the new scripts,
- Syncs already exist scripts.
For now, It only supports Python scripts.
Sync the scripts section
Traverse all the keys inside the scripts section and try to get the latest version to update their record.
Complition Proposals
The chain section of an ATLAS rule consists of sub-chains. On the other hand, a sub-chain can contain a couple of keys: input, func, and expect.
- Possible options for func key reside in the core library. The extension lists all possible functions in the case of the func key.
- Similar to the func key, expect holds the validation functions information, and they define inside the expect library. The extension lists all possible functions in case of the expect key.
- An input key's value can be arbitrary, or with $ charachter, it is possible to assign dynamic content and values from other sections like scripts. The extension lists sub-chains to retrieve their outputs or all possible scripts when there is a pattern:
$scripts.
Showing Hovers
As described above, there are functions for func and expect keys and they all have a purpose and syntax. The extension gives information about the function below the mouse cursor.
While executing the Create and fill the scripts section or Sync the scripts section commands, it records those custom entry points' details. Then the extension gives information about the function below the mouse cursor.
Snippet
The extension comes with a snippet, a basic ATLAS rule to start a new development.
