Example Flows

The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the Attack Flow release page, or you can view individual flows on this page. Each Attack Flow is provided in multiple formats:

Builder (.afb)

The format used for creating and editing in the Attack Flow Builder.

JSON (.json)

The machine-readable format for exchanging flows.

Graphviz (.dot)

An example of converting from Attack Flow to another graph format in order to take advantage of other tool ecosystems. Must install Graphviz to use this format, or use our pre-rendered Graphviz .png files.

Mermaid (.mmd)

Mermaid is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly in GitHub Markdown files.

List of Examples

Report

Authors

Description

Cobalt Kitty Campaign

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Eric Kannampuzha

Cobalt Kitty campaign conducted by OceanLotus.

Conti CISA Alert

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Dr. Desiree Beck

Conti ransomware flow based on CISA alert.

Conti PWC

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Dr. Desiree Beck

Conti ransomware flow based on PWC report.

Conti Ransomware

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Alaa Nasser

Based on DFIR report

Equifax Breach

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

Attack flow on the 2017 Equifax breach.

FIN13 Case 1

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mia Sanchez

Attack by FIN13 against a Latin American bank

FIN13 Case 2

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mia Sanchez

Attack flow for the FIN13 campaign targeting a bank in Peru.

Gootloader

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mia Sanchez

Attack flow on the Gootloader payload distribution attack.

Hancitor DLL

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Eric Kannampuzha

Attack flow on an intrusion using the Hancitor downloader.

JP Morgan Breach

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

Attack flow on the 2014 JP Morgan breach.

Mac Malware Steals Crypto

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Eric Kannampuzha

Analysis of a malware family, OSX.DarthMiner, that targets MacOS.

Marriott Breach

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

A data breach at the Marriott hotel group in 2018.

Muddy Water

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mia Sanchez

Multiple campaigns attributed to an Iranian state-based actor.

NotPetya

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mia Sanchez

Analysis of 2017 malware outbreak.

Ragnar Locker

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mia Sanchez

Profile of a ransomware group

SWIFT Heist

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

A financial crime involving the SWIFT banking network.

SolarWinds

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

A well-known supply chain attack against an Austin, TX software company.

Sony Malware

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

Attack flow on the malware believed to be behind the 2014 Sony breach.

Target Breach

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

Attack flow for the 2013 Target breach.

Tesla Kubernetes Breach

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mark Haase

A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.

Uber Breach

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Lauren Parker

A breach at Uber by the Lapsus$ group.

WhisperGate

Open: Attack Flow Builder

Download: JSON | GraphViz (PNG) | Mermaid (PNG)

Mia Sanchez

A Russian state-sponsored malware campaign targeting Ukraine.