Example Flows

The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the Attack Flow release page, or you can view individual flows on this page. Each Attack Flow is provided in multiple formats:

Builder (.afb): The format used for creating and editing in the Attack Flow Builder.
JSON (.json): The machine-readable format for exchanging flows.
Graphviz (.dot): An example of converting from Attack Flow to another graph format in order to take advantage of other tool ecosystems. Must install Graphviz to use this format, or use our pre-rendered Graphviz .png files.
Mermaid (.mmd): Mermaid is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly in GitHub Markdown files.

List of Examples

Report	Authors	Description
Black Basta Ransomware Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Black Basta is a RaaS (Ransomware as a Service), written in C++, that has been in development since February 2022 and in active use since April 2022. Operators using Black Basta employ a double-extortion technique where they encrypt files on the target systems and demand payment for the decryption key while also threatening to leak the information if they are not paid.
CISA AA22-138B VMWare Workspace (Alt) Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Alternative method used to exploit VMWare Workspace ONE Access
CISA AA22-138B VMWare Workspace (TA1) Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Threat Actor 1 exploited VMWare Workspace ONE Access through various methods
CISA AA22-138B VMWare Workspace (TA2) Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Threat Actor 2 exploited VMWare Workspace ONE Access through various methods
CISA Iranian APT Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Iranian APT exploited Log4Shell and deployed XMRig crypto mining software.
Cobalt Kitty Campaign Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Eric Kannampuzha	Cobalt Kitty campaign conducted by OceanLotus.
Conti CISA Alert Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Dr. Desiree Beck	Conti ransomware flow based on CISA alert.
Conti PWC Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Dr. Desiree Beck	Conti ransomware flow based on PWC report.
Conti Ransomware Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Alaa Nasser	Based on DFIR report
DFIR - BumbleBee Round 2 Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Kevin Lo	A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022
Equifax Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow on the 2017 Equifax breach.
Example Attack Tree Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Center for Threat-Informed Defense	This flow illustrates how to build an attack tree using Attack Flow Builder.
FIN13 Case 1 Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Attack by FIN13 against a Latin American bank
FIN13 Case 2 Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Attack flow for the FIN13 campaign targeting a bank in Peru.
Gootloader Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Attack flow on the Gootloader payload distribution attack.
Hancitor DLL Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Eric Kannampuzha	Attack flow on an intrusion using the Hancitor downloader.
Ivanti Vulnerabilities Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mark Haase	A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This flow describes an unnamed organization that is a Volexity customer.
JP Morgan Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow on the 2014 JP Morgan breach.
MITRE NERVE Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Center for Threat-Informed Defense	A nation-state actor intrusion starting in Jan 2024. © 2024 MITRE Engenuity. Approved for public release. Document number CT0121.
Maastricht University Ransomware Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Joni Bimbashi	In 2019, the Maastricht University was targeted by a ransomware attack. At least 267 internal servers were affected in this incident.
Mac Malware Steals Crypto Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Eric Kannampuzha	Analysis of a malware family, OSX.DarthMiner, that targets MacOS.
Marriott Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A data breach at the Marriott hotel group in 2018.
Muddy Water Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Multiple campaigns attributed to an Iranian state-based actor.
NotPetya Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Analysis of 2017 malware outbreak.
OceanLotus Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Maggie MacAlpine	OceanLotus Operations Flow
REvil Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Jackie Lasky	Profile of a ransomware group
Ragnar Locker Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Profile of a ransomware group
SWIFT Heist Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A financial crime involving the SWIFT banking network.
SearchAwesome Adware Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	SearchAwesome adware intercepts encrypted web traffic to inject ads
Shamoon Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Malware family targeting energy, government, and telecom in the middle east and europe.
SolarWinds Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A well-known supply chain attack against an Austin, TX software company.
Sony Malware Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow on the malware believed to be behind the 2014 Sony breach.
Target Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow for the 2013 Target breach.
Tesla Kubernetes Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mark Haase	A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.
Turla - Carbon Emulation Plan Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 1 of the ATT&CK evaluations Round 5. This scenario focuses on Carbon, a second-stage backdoor and framework that targets Windows and Linux infrastructures and provides data exfiltration capabilities.
Turla - Snake Emulation Plan Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 2 of the ATT&CK evaluations Round 5. This scenario focuses on Snake, a rootkit used to compromise computers and exfiltrate data.
Uber Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A breach at Uber by the Lapsus$ group.
WhisperGate Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	A Russian state-sponsored malware campaign targeting Ukraine.