Example Flows
The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the Attack Flow release page, or you can view individual flows on this page. Each Attack Flow is provided in multiple formats:
- Builder (.afb)
The format used for creating and editing in the Attack Flow Builder.
- JSON (.json)
The machine-readable format for exchanging flows.
- Graphviz (.dot)
An example of converting from Attack Flow to another graph format in order to take advantage of other tool ecosystems. Must install Graphviz to use this format, or use our pre-rendered Graphviz
.png
files.- Mermaid (.mmd)
Mermaid is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly in GitHub Markdown files.
List of Examples
Report |
Authors |
Description |
---|---|---|
Cobalt Kitty Campaign Open: Attack Flow Builder |
Eric Kannampuzha |
Cobalt Kitty campaign conducted by OceanLotus. |
Conti CISA Alert Open: Attack Flow Builder |
Dr. Desiree Beck |
Conti ransomware flow based on CISA alert. |
Conti PWC Open: Attack Flow Builder |
Dr. Desiree Beck |
Conti ransomware flow based on PWC report. |
Conti Ransomware Open: Attack Flow Builder |
Alaa Nasser |
Based on DFIR report |
Equifax Breach Open: Attack Flow Builder |
Lauren Parker |
Attack flow on the 2017 Equifax breach. |
FIN13 Case 1 Open: Attack Flow Builder |
Mia Sanchez |
Attack by FIN13 against a Latin American bank |
FIN13 Case 2 Open: Attack Flow Builder |
Mia Sanchez |
Attack flow for the FIN13 campaign targeting a bank in Peru. |
Gootloader Open: Attack Flow Builder |
Mia Sanchez |
Attack flow on the Gootloader payload distribution attack. |
Hancitor DLL Open: Attack Flow Builder |
Eric Kannampuzha |
Attack flow on an intrusion using the Hancitor downloader. |
JP Morgan Breach Open: Attack Flow Builder |
Lauren Parker |
Attack flow on the 2014 JP Morgan breach. |
Mac Malware Steals Crypto Open: Attack Flow Builder |
Eric Kannampuzha |
Analysis of a malware family, OSX.DarthMiner, that targets MacOS. |
Marriott Breach Open: Attack Flow Builder |
Lauren Parker |
A data breach at the Marriott hotel group in 2018. |
Muddy Water Open: Attack Flow Builder |
Mia Sanchez |
Multiple campaigns attributed to an Iranian state-based actor. |
NotPetya Open: Attack Flow Builder |
Mia Sanchez |
Analysis of 2017 malware outbreak. |
Ragnar Locker Open: Attack Flow Builder |
Mia Sanchez |
Profile of a ransomware group |
SWIFT Heist Open: Attack Flow Builder |
Lauren Parker |
A financial crime involving the SWIFT banking network. |
SolarWinds Open: Attack Flow Builder |
Lauren Parker |
A well-known supply chain attack against an Austin, TX software company. |
Sony Malware Open: Attack Flow Builder |
Lauren Parker |
Attack flow on the malware believed to be behind the 2014 Sony breach. |
Target Breach Open: Attack Flow Builder |
Lauren Parker |
Attack flow for the 2013 Target breach. |
Tesla Kubernetes Breach Open: Attack Flow Builder |
Mark Haase |
A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster. |
Uber Breach Open: Attack Flow Builder |
Lauren Parker |
A breach at Uber by the Lapsus$ group. |
WhisperGate Open: Attack Flow Builder |
Mia Sanchez |
A Russian state-sponsored malware campaign targeting Ukraine. |