Example Flows ============= The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the `Attack Flow release page `__, or you can view individual flows on this page. Each Attack Flow is provided in multiple formats: Builder (.afb) The format used for creating and editing in the Attack Flow Builder. JSON (.json) The machine-readable format for exchanging flows. Graphviz (.dot) An example of converting from Attack Flow to another graph format in order to take advantage of other tool ecosystems. Must install `Graphviz `__ to use this format, or use our pre-rendered Graphviz ``.png`` files. Mermaid (.mmd) `Mermaid `__ is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly in `GitHub Markdown files `__. List of Examples ---------------- .. EXAMPLE_FLOWS Generated by `af` tool at 2024-07-09T15:42:30.934512Z .. list-table:: :widths: 30 20 50 :header-rows: 1 * - Report - Authors - Description * - **CISA AA22-138B VMWare Workspace (Alt)** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Alternative method used to exploit VMWare Workspace ONE Access * - **CISA AA22-138B VMWare Workspace (TA1)** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Threat Actor 1 exploited VMWare Workspace ONE Access through various methods * - **CISA AA22-138B VMWare Workspace (TA2)** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Threat Actor 2 exploited VMWare Workspace ONE Access through various methods * - **CISA Iranian APT** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Iranian APT exploited Log4Shell and deployed XMRig crypto mining software. * - **Cobalt Kitty Campaign** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Eric Kannampuzha - Cobalt Kitty campaign conducted by OceanLotus. * - **Conti CISA Alert** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Dr. Desiree Beck - Conti ransomware flow based on CISA alert. * - **Conti PWC** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Dr. Desiree Beck - Conti ransomware flow based on PWC report. * - **Conti Ransomware** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Alaa Nasser - Based on DFIR report * - **DFIR - BumbleBee Round 2** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Kevin Lo - A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022  * - **Equifax Breach** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Attack flow on the 2017 Equifax breach. * - **Example Attack Tree** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Center for Threat-Informed Defense - This flow illustrates how to build an attack tree using Attack Flow Builder. * - **FIN13 Case 1** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mia Sanchez - Attack by FIN13 against a Latin American bank * - **FIN13 Case 2** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mia Sanchez - Attack flow for the FIN13 campaign targeting a bank in Peru.  * - **Gootloader** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mia Sanchez - Attack flow on the Gootloader payload distribution attack. * - **Hancitor DLL** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Eric Kannampuzha - Attack flow on an intrusion using the Hancitor downloader. * - **Ivanti Vulnerabilities** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mark Haase - A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This flow describes an unnamed organization that is a Volexity customer. * - **JP Morgan Breach** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Attack flow on the 2014 JP Morgan breach. * - **MITRE NERVE** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Center for Threat-Informed Defense - A nation-state actor intrusion starting in Jan 2024. © 2024 MITRE Engenuity. Approved for public release. Document number CT0121. * - **Maastricht University Ransomware** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Joni Bimbashi - In 2019, the Maastricht University was targeted by a ransomware attack. At least 267 internal servers were affected in this incident. * - **Mac Malware Steals Crypto** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Eric Kannampuzha - Analysis of a malware family, OSX.DarthMiner, that targets MacOS. * - **Marriott Breach** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - A data breach at the Marriott hotel group in 2018. * - **Muddy Water** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mia Sanchez - Multiple campaigns attributed to an Iranian state-based actor. * - **NotPetya** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mia Sanchez - Analysis of 2017 malware outbreak. * - **OceanLotus** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Maggie MacAlpine - OceanLotus Operations Flow * - **REvil** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Jackie Lasky - Profile of a ransomware group * - **Ragnar Locker** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mia Sanchez - Profile of a ransomware group * - **SWIFT Heist** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - A financial crime involving the SWIFT banking network. * - **SearchAwesome Adware** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - SearchAwesome adware intercepts encrypted web traffic to inject ads * - **Shamoon** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Malware family targeting energy, government, and telecom in the middle east and europe. * - **SolarWinds** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - A well-known supply chain attack against an Austin, TX software company. * - **Sony Malware** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Attack flow on the malware believed to be behind the 2014 Sony breach. * - **Target Breach** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - Attack flow for the 2013 Target breach. * - **Tesla Kubernetes Breach** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mark Haase - A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster. * - **Turla - Carbon Emulation Plan** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 1 of the ATT&CK evaluations Round 5. This scenario focuses on Carbon, a second-stage backdoor and framework that targets Windows and Linux infrastructures and provides data exfiltration capabilities. * - **Turla - Snake Emulation Plan** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 2 of the ATT&CK evaluations Round 5. This scenario focuses on Snake, a rootkit used to compromise computers and exfiltrate data. * - **Uber Breach** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Lauren Parker - A breach at Uber by the Lapsus$ group. * - **WhisperGate** .. raw:: html

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG) - Mia Sanchez - A Russian state-sponsored malware campaign targeting Ukraine. .. /EXAMPLE_FLOWS