locsec/ceios
1
Форкнуть 0
зеркало из https://github.com/ceios/ceios.git synced 2025-10-29 12:06:04 +02:00
Код Задачи Пакеты Проекты Релизы Вики Активность
ceios/builder/docs/example_flows.rst
Jim Andrew Morris 9f997913c0 Pushed builder to wrong folder 
changing the folder the disarm-attackflow builder was pushed to
2024-09-13 15:29:20 +09:30

377 строки
24 KiB
ReStructuredText
Исходник Постоянная ссылка Ответственный История

Этот файл содержит невидимые символы Юникода

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Example Flows
=============
The Attack Flow project includes a corpus of example flows that may be useful for
learning about Attack Flow, studying high-profile breaches, or mining the data for
statistical patterns. You can download the entire corpus from the `Attack Flow release
page <https://github.com/center-for-threat-informed-defense/attack-flow/releases>`__, or
you can view individual flows on this page. Each Attack Flow is provided in multiple
formats:
Builder (.afb)
The format used for creating and editing in the Attack Flow Builder.
JSON (.json)
The machine-readable format for exchanging flows.
Graphviz (.dot)
An example of converting from Attack Flow to another graph format in order to take
advantage of other tool ecosystems. Must install `Graphviz
<https://graphviz.org/>`__ to use this format, or use our pre-rendered Graphviz
``.png`` files.
Mermaid (.mmd)
`Mermaid <https://mermaid-js.github.io/mermaid/#/>`__ is another graph format that
you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly
in `GitHub Markdown files <https://github.blog/2022-02-14-include-diagrams-markdown-files-mermaid/>`__.
List of Examples
----------------
.. EXAMPLE_FLOWS Generated by `af` tool at 2024-07-09T15:42:30.934512Z
.. list-table::
:widths: 30 20 50
:header-rows: 1
* - Report
- Authors
- Description
* - **CISA AA22-138B VMWare Workspace (Alt)**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fCISA%20AA22-138B%20VMWare%20Workspace%20%28Alt%29.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28Alt%29.json">JSON</a> | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28Alt%29.dot">GraphViz</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28Alt%29.dot.png">PNG</a>) | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28Alt%29.mmd">Mermaid</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28Alt%29.mmd.png">PNG</a>)
- Lauren Parker
- Alternative method used to exploit VMWare Workspace ONE Access
* - **CISA AA22-138B VMWare Workspace (TA1)**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fCISA%20AA22-138B%20VMWare%20Workspace%20%28TA1%29.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA1%29.json">JSON</a> | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA1%29.dot">GraphViz</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA1%29.dot.png">PNG</a>) | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA1%29.mmd">Mermaid</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA1%29.mmd.png">PNG</a>)
- Lauren Parker
- Threat Actor 1 exploited VMWare Workspace ONE Access through various methods
* - **CISA AA22-138B VMWare Workspace (TA2)**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fCISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.json">JSON</a> | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.dot">GraphViz</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.dot.png">PNG</a>) | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.mmd">Mermaid</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.mmd.png">PNG</a>)
- Lauren Parker
- Threat Actor 2 exploited VMWare Workspace ONE Access through various methods
* - **CISA Iranian APT**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fCISA%20Iranian%20APT.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/CISA%20Iranian%20APT.json">JSON</a> | <a href="../corpus/CISA%20Iranian%20APT.dot">GraphViz</a> (<a href="../corpus/CISA%20Iranian%20APT.dot.png">PNG</a>) | <a href="../corpus/CISA%20Iranian%20APT.mmd">Mermaid</a> (<a href="../corpus/CISA%20Iranian%20APT.mmd.png">PNG</a>)
- Lauren Parker
- Iranian APT exploited Log4Shell and deployed XMRig crypto mining software.
* - **Cobalt Kitty Campaign**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fCobalt%20Kitty%20Campaign.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Cobalt%20Kitty%20Campaign.json">JSON</a> | <a href="../corpus/Cobalt%20Kitty%20Campaign.dot">GraphViz</a> (<a href="../corpus/Cobalt%20Kitty%20Campaign.dot.png">PNG</a>) | <a href="../corpus/Cobalt%20Kitty%20Campaign.mmd">Mermaid</a> (<a href="../corpus/Cobalt%20Kitty%20Campaign.mmd.png">PNG</a>)
- Eric Kannampuzha
- Cobalt Kitty campaign conducted by OceanLotus.
* - **Conti CISA Alert**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fConti%20CISA%20Alert.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Conti%20CISA%20Alert.json">JSON</a> | <a href="../corpus/Conti%20CISA%20Alert.dot">GraphViz</a> (<a href="../corpus/Conti%20CISA%20Alert.dot.png">PNG</a>) | <a href="../corpus/Conti%20CISA%20Alert.mmd">Mermaid</a> (<a href="../corpus/Conti%20CISA%20Alert.mmd.png">PNG</a>)
- Dr. Desiree Beck
- Conti ransomware flow based on CISA alert.
* - **Conti PWC**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fConti%20PWC.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Conti%20PWC.json">JSON</a> | <a href="../corpus/Conti%20PWC.dot">GraphViz</a> (<a href="../corpus/Conti%20PWC.dot.png">PNG</a>) | <a href="../corpus/Conti%20PWC.mmd">Mermaid</a> (<a href="../corpus/Conti%20PWC.mmd.png">PNG</a>)
- Dr. Desiree Beck
- Conti ransomware flow based on PWC report.
* - **Conti Ransomware**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fConti%20Ransomware.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Conti%20Ransomware.json">JSON</a> | <a href="../corpus/Conti%20Ransomware.dot">GraphViz</a> (<a href="../corpus/Conti%20Ransomware.dot.png">PNG</a>) | <a href="../corpus/Conti%20Ransomware.mmd">Mermaid</a> (<a href="../corpus/Conti%20Ransomware.mmd.png">PNG</a>)
- Alaa Nasser
- Based on DFIR report
* - **DFIR - BumbleBee Round 2**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fDFIR%20-%20BumbleBee%20Round%202.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.json">JSON</a> | <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.dot">GraphViz</a> (<a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.dot.png">PNG</a>) | <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.mmd">Mermaid</a> (<a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.mmd.png">PNG</a>)
- Kevin Lo
- A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022 
* - **Equifax Breach**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fEquifax%20Breach.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Equifax%20Breach.json">JSON</a> | <a href="../corpus/Equifax%20Breach.dot">GraphViz</a> (<a href="../corpus/Equifax%20Breach.dot.png">PNG</a>) | <a href="../corpus/Equifax%20Breach.mmd">Mermaid</a> (<a href="../corpus/Equifax%20Breach.mmd.png">PNG</a>)
- Lauren Parker
- Attack flow on the 2017 Equifax breach.
* - **Example Attack Tree**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fExample%20Attack%20Tree.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Example%20Attack%20Tree.json">JSON</a> | <a href="../corpus/Example%20Attack%20Tree.dot">GraphViz</a> (<a href="../corpus/Example%20Attack%20Tree.dot.png">PNG</a>) | <a href="../corpus/Example%20Attack%20Tree.mmd">Mermaid</a> (<a href="../corpus/Example%20Attack%20Tree.mmd.png">PNG</a>)
- Center for Threat-Informed Defense
- This flow illustrates how to build an attack tree using Attack Flow Builder.
* - **FIN13 Case 1**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fFIN13%20Case%201.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/FIN13%20Case%201.json">JSON</a> | <a href="../corpus/FIN13%20Case%201.dot">GraphViz</a> (<a href="../corpus/FIN13%20Case%201.dot.png">PNG</a>) | <a href="../corpus/FIN13%20Case%201.mmd">Mermaid</a> (<a href="../corpus/FIN13%20Case%201.mmd.png">PNG</a>)
- Mia Sanchez
- Attack by FIN13 against a Latin American bank
* - **FIN13 Case 2**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fFIN13%20Case%202.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/FIN13%20Case%202.json">JSON</a> | <a href="../corpus/FIN13%20Case%202.dot">GraphViz</a> (<a href="../corpus/FIN13%20Case%202.dot.png">PNG</a>) | <a href="../corpus/FIN13%20Case%202.mmd">Mermaid</a> (<a href="../corpus/FIN13%20Case%202.mmd.png">PNG</a>)
- Mia Sanchez
- Attack flow for the FIN13 campaign targeting a bank in Peru. 
* - **Gootloader**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fGootloader.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Gootloader.json">JSON</a> | <a href="../corpus/Gootloader.dot">GraphViz</a> (<a href="../corpus/Gootloader.dot.png">PNG</a>) | <a href="../corpus/Gootloader.mmd">Mermaid</a> (<a href="../corpus/Gootloader.mmd.png">PNG</a>)
- Mia Sanchez
- Attack flow on the Gootloader payload distribution attack.
* - **Hancitor DLL**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fHancitor%20DLL.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Hancitor%20DLL.json">JSON</a> | <a href="../corpus/Hancitor%20DLL.dot">GraphViz</a> (<a href="../corpus/Hancitor%20DLL.dot.png">PNG</a>) | <a href="../corpus/Hancitor%20DLL.mmd">Mermaid</a> (<a href="../corpus/Hancitor%20DLL.mmd.png">PNG</a>)
- Eric Kannampuzha
- Attack flow on an intrusion using the Hancitor downloader.
* - **Ivanti Vulnerabilities**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fIvanti%20Vulnerabilities.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Ivanti%20Vulnerabilities.json">JSON</a> | <a href="../corpus/Ivanti%20Vulnerabilities.dot">GraphViz</a> (<a href="../corpus/Ivanti%20Vulnerabilities.dot.png">PNG</a>) | <a href="../corpus/Ivanti%20Vulnerabilities.mmd">Mermaid</a> (<a href="../corpus/Ivanti%20Vulnerabilities.mmd.png">PNG</a>)
- Mark Haase
- A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This flow describes an unnamed organization that is a Volexity customer.
* - **JP Morgan Breach**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fJP%20Morgan%20Breach.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/JP%20Morgan%20Breach.json">JSON</a> | <a href="../corpus/JP%20Morgan%20Breach.dot">GraphViz</a> (<a href="../corpus/JP%20Morgan%20Breach.dot.png">PNG</a>) | <a href="../corpus/JP%20Morgan%20Breach.mmd">Mermaid</a> (<a href="../corpus/JP%20Morgan%20Breach.mmd.png">PNG</a>)
- Lauren Parker
- Attack flow on the 2014 JP Morgan breach.
* - **MITRE NERVE**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMITRE%20NERVE.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/MITRE%20NERVE.json">JSON</a> | <a href="../corpus/MITRE%20NERVE.dot">GraphViz</a> (<a href="../corpus/MITRE%20NERVE.dot.png">PNG</a>) | <a href="../corpus/MITRE%20NERVE.mmd">Mermaid</a> (<a href="../corpus/MITRE%20NERVE.mmd.png">PNG</a>)
- Center for Threat-Informed Defense
- A nation-state actor intrusion starting in Jan 2024. © 2024 MITRE Engenuity. Approved for public release. Document number CT0121.
* - **Maastricht University Ransomware**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMaastricht%20University%20Ransomware.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Maastricht%20University%20Ransomware.json">JSON</a> | <a href="../corpus/Maastricht%20University%20Ransomware.dot">GraphViz</a> (<a href="../corpus/Maastricht%20University%20Ransomware.dot.png">PNG</a>) | <a href="../corpus/Maastricht%20University%20Ransomware.mmd">Mermaid</a> (<a href="../corpus/Maastricht%20University%20Ransomware.mmd.png">PNG</a>)
- Joni Bimbashi
- In 2019, the Maastricht University was targeted by a ransomware attack. At least 267 internal servers were affected in this incident.
* - **Mac Malware Steals Crypto**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMac%20Malware%20Steals%20Crypto.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Mac%20Malware%20Steals%20Crypto.json">JSON</a> | <a href="../corpus/Mac%20Malware%20Steals%20Crypto.dot">GraphViz</a> (<a href="../corpus/Mac%20Malware%20Steals%20Crypto.dot.png">PNG</a>) | <a href="../corpus/Mac%20Malware%20Steals%20Crypto.mmd">Mermaid</a> (<a href="../corpus/Mac%20Malware%20Steals%20Crypto.mmd.png">PNG</a>)
- Eric Kannampuzha
- Analysis of a malware family, OSX.DarthMiner, that targets MacOS.
* - **Marriott Breach**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMarriott%20Breach.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Marriott%20Breach.json">JSON</a> | <a href="../corpus/Marriott%20Breach.dot">GraphViz</a> (<a href="../corpus/Marriott%20Breach.dot.png">PNG</a>) | <a href="../corpus/Marriott%20Breach.mmd">Mermaid</a> (<a href="../corpus/Marriott%20Breach.mmd.png">PNG</a>)
- Lauren Parker
- A data breach at the Marriott hotel group in 2018.
* - **Muddy Water**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMuddy%20Water.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Muddy%20Water.json">JSON</a> | <a href="../corpus/Muddy%20Water.dot">GraphViz</a> (<a href="../corpus/Muddy%20Water.dot.png">PNG</a>) | <a href="../corpus/Muddy%20Water.mmd">Mermaid</a> (<a href="../corpus/Muddy%20Water.mmd.png">PNG</a>)
- Mia Sanchez
- Multiple campaigns attributed to an Iranian state-based actor.
* - **NotPetya**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fNotPetya.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/NotPetya.json">JSON</a> | <a href="../corpus/NotPetya.dot">GraphViz</a> (<a href="../corpus/NotPetya.dot.png">PNG</a>) | <a href="../corpus/NotPetya.mmd">Mermaid</a> (<a href="../corpus/NotPetya.mmd.png">PNG</a>)
- Mia Sanchez
- Analysis of 2017 malware outbreak.
* - **OceanLotus**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fOceanLotus.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/OceanLotus.json">JSON</a> | <a href="../corpus/OceanLotus.dot">GraphViz</a> (<a href="../corpus/OceanLotus.dot.png">PNG</a>) | <a href="../corpus/OceanLotus.mmd">Mermaid</a> (<a href="../corpus/OceanLotus.mmd.png">PNG</a>)
- Maggie MacAlpine
- OceanLotus Operations Flow
* - **REvil**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fREvil.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/REvil.json">JSON</a> | <a href="../corpus/REvil.dot">GraphViz</a> (<a href="../corpus/REvil.dot.png">PNG</a>) | <a href="../corpus/REvil.mmd">Mermaid</a> (<a href="../corpus/REvil.mmd.png">PNG</a>)
- Jackie Lasky
- Profile of a ransomware group
* - **Ragnar Locker**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fRagnar%20Locker.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Ragnar%20Locker.json">JSON</a> | <a href="../corpus/Ragnar%20Locker.dot">GraphViz</a> (<a href="../corpus/Ragnar%20Locker.dot.png">PNG</a>) | <a href="../corpus/Ragnar%20Locker.mmd">Mermaid</a> (<a href="../corpus/Ragnar%20Locker.mmd.png">PNG</a>)
- Mia Sanchez
- Profile of a ransomware group
* - **SWIFT Heist**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fSWIFT%20Heist.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/SWIFT%20Heist.json">JSON</a> | <a href="../corpus/SWIFT%20Heist.dot">GraphViz</a> (<a href="../corpus/SWIFT%20Heist.dot.png">PNG</a>) | <a href="../corpus/SWIFT%20Heist.mmd">Mermaid</a> (<a href="../corpus/SWIFT%20Heist.mmd.png">PNG</a>)
- Lauren Parker
- A financial crime involving the SWIFT banking network.
* - **SearchAwesome Adware**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fSearchAwesome%20Adware.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/SearchAwesome%20Adware.json">JSON</a> | <a href="../corpus/SearchAwesome%20Adware.dot">GraphViz</a> (<a href="../corpus/SearchAwesome%20Adware.dot.png">PNG</a>) | <a href="../corpus/SearchAwesome%20Adware.mmd">Mermaid</a> (<a href="../corpus/SearchAwesome%20Adware.mmd.png">PNG</a>)
- Lauren Parker
- SearchAwesome adware intercepts encrypted web traffic to inject ads
* - **Shamoon**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fShamoon.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Shamoon.json">JSON</a> | <a href="../corpus/Shamoon.dot">GraphViz</a> (<a href="../corpus/Shamoon.dot.png">PNG</a>) | <a href="../corpus/Shamoon.mmd">Mermaid</a> (<a href="../corpus/Shamoon.mmd.png">PNG</a>)
- Lauren Parker
- Malware family targeting energy, government, and telecom in the middle east and europe.
* - **SolarWinds**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fSolarWinds.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/SolarWinds.json">JSON</a> | <a href="../corpus/SolarWinds.dot">GraphViz</a> (<a href="../corpus/SolarWinds.dot.png">PNG</a>) | <a href="../corpus/SolarWinds.mmd">Mermaid</a> (<a href="../corpus/SolarWinds.mmd.png">PNG</a>)
- Lauren Parker
- A well-known supply chain attack against an Austin, TX software company.
* - **Sony Malware**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fSony%20Malware.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Sony%20Malware.json">JSON</a> | <a href="../corpus/Sony%20Malware.dot">GraphViz</a> (<a href="../corpus/Sony%20Malware.dot.png">PNG</a>) | <a href="../corpus/Sony%20Malware.mmd">Mermaid</a> (<a href="../corpus/Sony%20Malware.mmd.png">PNG</a>)
- Lauren Parker
- Attack flow on the malware believed to be behind the 2014 Sony breach.
* - **Target Breach**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fTarget%20Breach.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Target%20Breach.json">JSON</a> | <a href="../corpus/Target%20Breach.dot">GraphViz</a> (<a href="../corpus/Target%20Breach.dot.png">PNG</a>) | <a href="../corpus/Target%20Breach.mmd">Mermaid</a> (<a href="../corpus/Target%20Breach.mmd.png">PNG</a>)
- Lauren Parker
- Attack flow for the 2013 Target breach.
* - **Tesla Kubernetes Breach**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fTesla%20Kubernetes%20Breach.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Tesla%20Kubernetes%20Breach.json">JSON</a> | <a href="../corpus/Tesla%20Kubernetes%20Breach.dot">GraphViz</a> (<a href="../corpus/Tesla%20Kubernetes%20Breach.dot.png">PNG</a>) | <a href="../corpus/Tesla%20Kubernetes%20Breach.mmd">Mermaid</a> (<a href="../corpus/Tesla%20Kubernetes%20Breach.mmd.png">PNG</a>)
- Mark Haase
- A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.
* - **Turla - Carbon Emulation Plan**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fTurla%20-%20Carbon%20Emulation%20Plan.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.json">JSON</a> | <a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.dot">GraphViz</a> (<a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.dot.png">PNG</a>) | <a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.mmd">Mermaid</a> (<a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.mmd.png">PNG</a>)
- Lauren Parker
- The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 1 of the ATT&CK evaluations Round 5. This scenario focuses on Carbon, a second-stage backdoor and framework that targets Windows and Linux infrastructures and provides data exfiltration capabilities.
* - **Turla - Snake Emulation Plan**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fTurla%20-%20Snake%20Emulation%20Plan.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.json">JSON</a> | <a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.dot">GraphViz</a> (<a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.dot.png">PNG</a>) | <a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.mmd">Mermaid</a> (<a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.mmd.png">PNG</a>)
- Lauren Parker
- The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 2 of the ATT&CK evaluations Round 5. This scenario focuses on Snake, a rootkit used to compromise computers and exfiltrate data.
* - **Uber Breach**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fUber%20Breach.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/Uber%20Breach.json">JSON</a> | <a href="../corpus/Uber%20Breach.dot">GraphViz</a> (<a href="../corpus/Uber%20Breach.dot.png">PNG</a>) | <a href="../corpus/Uber%20Breach.mmd">Mermaid</a> (<a href="../corpus/Uber%20Breach.mmd.png">PNG</a>)
- Lauren Parker
- A breach at Uber by the Lapsus$ group.
* - **WhisperGate**
.. raw:: html
<p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fWhisperGate.afb"></i>Attack Flow Builder</a></p>
<p><em>Download:</em> <a href="../corpus/WhisperGate.json">JSON</a> | <a href="../corpus/WhisperGate.dot">GraphViz</a> (<a href="../corpus/WhisperGate.dot.png">PNG</a>) | <a href="../corpus/WhisperGate.mmd">Mermaid</a> (<a href="../corpus/WhisperGate.mmd.png">PNG</a>)
- Mia Sanchez
- A Russian state-sponsored malware campaign targeting Ukraine.
.. /EXAMPLE_FLOWS
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку