Example Flows

The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the Attack Flow release page, or you can view individual flows on this page. Each Attack Flow is provided in multiple formats:

Builder (.afb): The format used for creating and editing in the Attack Flow Builder.
JSON (.json): The machine-readable format for exchanging flows.
Graphviz (.dot): An example of converting from Attack Flow to another graph format in order to take advantage of other tool ecosystems. Must install Graphviz to use this format, or use our pre-rendered Graphviz .png files.
Mermaid (.mmd): Mermaid is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly in GitHub Markdown files.

List of Examples

Report	Authors	Description
Cobalt Kitty Campaign Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Eric Kannampuzha	Cobalt Kitty campaign conducted by OceanLotus.
Conti CISA Alert Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Dr. Desiree Beck	Conti ransomware flow based on CISA alert.
Conti PWC Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Dr. Desiree Beck	Conti ransomware flow based on PWC report.
Conti Ransomware Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Alaa Nasser	Based on DFIR report
Equifax Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow on the 2017 Equifax breach.
FIN13 Case 1 Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Attack by FIN13 against a Latin American bank
FIN13 Case 2 Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Attack flow for the FIN13 campaign targeting a bank in Peru.
Gootloader Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Attack flow on the Gootloader payload distribution attack.
Hancitor DLL Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Eric Kannampuzha	Attack flow on an intrusion using the Hancitor downloader.
JP Morgan Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow on the 2014 JP Morgan breach.
Mac Malware Steals Crypto Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Eric Kannampuzha	Analysis of a malware family, OSX.DarthMiner, that targets MacOS.
Marriott Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A data breach at the Marriott hotel group in 2018.
Muddy Water Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Multiple campaigns attributed to an Iranian state-based actor.
NotPetya Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Analysis of 2017 malware outbreak.
Ragnar Locker Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	Profile of a ransomware group
SWIFT Heist Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A financial crime involving the SWIFT banking network.
SolarWinds Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A well-known supply chain attack against an Austin, TX software company.
Sony Malware Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow on the malware believed to be behind the 2014 Sony breach.
Target Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	Attack flow for the 2013 Target breach.
Tesla Kubernetes Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mark Haase	A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.
Uber Breach Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Lauren Parker	A breach at Uber by the Lapsus$ group.
WhisperGate Open: Attack Flow Builder Download: JSON \| GraphViz (PNG) \| Mermaid (PNG)	Mia Sanchez	A Russian state-sponsored malware campaign targeting Ukraine.