Example Flows¶
The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the Attack Flow release page, or you can view individual flows on this page.
List of Examples¶
Black Basta Ransomware
Author: Lauren Parker
Description: Black Basta is a RaaS (Ransomware as a Service), written in C++, that has been in development since February 2022 and in active use since April 2022. Operators using Black Basta employ a double-extortion technique where they encrypt files on the target systems and demand payment for the decryption key while also threatening to leak the information if they are not paid.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
CISA AA22-138B VMWare Workspace (Alt)
Author: Lauren Parker
Description: Alternative method used to exploit VMWare Workspace ONE Access
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
CISA AA22-138B VMWare Workspace (TA1)
Author: Lauren Parker
Description: Threat Actor 1 exploited VMWare Workspace ONE Access through various methods
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
CISA AA22-138B VMWare Workspace (TA2)
Author: Lauren Parker
Description: Threat Actor 2 exploited VMWare Workspace ONE Access through various methods
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
CISA Iranian APT
Author: Lauren Parker
Description: Iranian APT exploited Log4Shell and deployed XMRig crypto mining software.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Cobalt Kitty Campaign
Author: Eric Kannampuzha
Description: Cobalt Kitty campaign conducted by OceanLotus.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Conti CISA Alert
Author: Dr. Desiree Beck
Description: Conti ransomware flow based on CISA alert.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Conti PWC
Author: Dr. Desiree Beck
Description: Conti ransomware flow based on PWC report.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Conti Ransomware
Author: Alaa Nasser
Description: Based on DFIR report
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
DFIR - BumbleBee Round 2
Author: Kevin Lo
Description: A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Equifax Breach
Author: Lauren Parker
Description: Attack flow on the 2017 Equifax breach.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Example Attack Tree
Author: MITRE Center for Threat-Informed Defense
Description: This flow illustrates how to build an attack tree using Attack Flow Builder.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
FIN13 Case 1
Author: Mia Sanchez
Description: Attack by FIN13 against a Latin American bank
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
FIN13 Case 2
Author: Mia Sanchez
Description: Attack flow for the FIN13 campaign targeting a bank in Peru.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Gootloader
Author: Mia Sanchez
Description: Attack flow on the Gootloader payload distribution attack.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Hancitor DLL
Author: Eric Kannampuzha
Description: Attack flow on an intrusion using the Hancitor downloader.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Ivanti Vulnerabilities
Author: Mark Haase
Description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This flow describes an unnamed organization that is a Volexity customer.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
JP Morgan Breach
Author: Lauren Parker
Description: Attack flow on the 2014 JP Morgan breach.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
MITRE NERVE
Author: MITRE Center for Threat-Informed Defense
Description: A nation-state actor intrusion starting in Jan 2024. © 2024 The MITRE Corporation. Approved for public release. Document number CT0121.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Maastricht University Ransomware
Author: Joni Bimbashi
Description: In 2019, the Maastricht University was targeted by a ransomware attack. At least 267 internal servers were affected in this incident.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Mac Malware Steals Crypto
Author: Eric Kannampuzha
Description: Analysis of a malware family, OSX.DarthMiner, that targets MacOS.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Marriott Breach
Author: Lauren Parker
Description: A data breach at the Marriott hotel group in 2018.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Muddy Water
Author: Mia Sanchez
Description: Multiple campaigns attributed to an Iranian state-based actor.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
NotPetya
Author: Mia Sanchez
Description: Analysis of 2017 malware outbreak.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
OceanLotus
Author: Maggie MacAlpine
Description: OceanLotus Operations Flow
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
REvil
Author: Jackie Lasky
Description: Profile of a ransomware group
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Ragnar Locker
Author: Mia Sanchez
Description: Profile of a ransomware group
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
SWIFT Heist
Author: Lauren Parker
Description: A financial crime involving the SWIFT banking network.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
SearchAwesome Adware
Author: Lauren Parker
Description: SearchAwesome adware intercepts encrypted web traffic to inject ads
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Shamoon
Author: Lauren Parker
Description: Malware family targeting energy, government, and telecom in the middle east and europe.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
SolarWinds
Author: Lauren Parker
Description: A well-known supply chain attack against an Austin, TX software company.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Sony Malware
Author: Lauren Parker
Description: Attack flow on the malware believed to be behind the 2014 Sony breach.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Target Breach
Author: Lauren Parker
Description: Attack flow for the 2013 Target breach.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Tesla Kubernetes Breach
Author: Mark Haase
Description: A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Turla - Carbon Emulation Plan
Author: Lauren Parker
Description: The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 1 of the ATT&CK evaluations Round 5. This scenario focuses on Carbon, a second-stage backdoor and framework that targets Windows and Linux infrastructures and provides data exfiltration capabilities.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Turla - Snake Emulation Plan
Author: Lauren Parker
Description: The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 2 of the ATT&CK evaluations Round 5. This scenario focuses on Snake, a rootkit used to compromise computers and exfiltrate data.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Uber Breach
Author: Lauren Parker
Description: A breach at Uber by the Lapsus$ group.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
WhisperGate
Author: Mia Sanchez
Description: A Russian state-sponsored malware campaign targeting Ukraine.
Open: Attack Flow Builder
Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid
Formats¶
Each Attack Flow is provided in multiple formats:
- Attack Flow (.afb)
The format used for creating and editing in the Attack Flow Builder.
- STIX (.json)
The machine-readable format for exchanging flows.
- Graphviz (.dot)
An example of converting from Attack Flow to another graph format in order to take advantage of other tool ecosystems. Must install Graphviz to use this format, or use our pre-rendered Graphviz
.png
files.- Mermaid (.mmd)
Mermaid is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly in GitHub Markdown files.
- PNG (.png)
A rendering of the one of the above file formats into an image format.