Example Flows

The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the Attack Flow release page, or you can view individual flows on this page.

List of Examples

Black Basta Ransomware

Author: Lauren Parker

Description: Black Basta is a RaaS (Ransomware as a Service), written in C++, that has been in development since February 2022 and in active use since April 2022. Operators using Black Basta employ a double-extortion technique where they encrypt files on the target systems and demand payment for the decryption key while also threatening to leak the information if they are not paid.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

CISA AA22-138B VMWare Workspace (Alt)

Author: Lauren Parker

Description: Alternative method used to exploit VMWare Workspace ONE Access

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

CISA AA22-138B VMWare Workspace (TA1)

Author: Lauren Parker

Description: Threat Actor 1 exploited VMWare Workspace ONE Access through various methods

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

CISA AA22-138B VMWare Workspace (TA2)

Author: Lauren Parker

Description: Threat Actor 2 exploited VMWare Workspace ONE Access through various methods

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

CISA Iranian APT

Author: Lauren Parker

Description: Iranian APT exploited Log4Shell and deployed XMRig crypto mining software.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Cobalt Kitty Campaign

Author: Eric Kannampuzha

Description: Cobalt Kitty campaign conducted by OceanLotus.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Conti CISA Alert

Author: Dr. Desiree Beck

Description: Conti ransomware flow based on CISA alert.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Conti PWC

Author: Dr. Desiree Beck

Description: Conti ransomware flow based on PWC report.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Conti Ransomware

Author: Alaa Nasser

Description: Based on DFIR report

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

DFIR - BumbleBee Round 2

Author: Kevin Lo

Description: A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Equifax Breach

Author: Lauren Parker

Description: Attack flow on the 2017 Equifax breach.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Example Attack Tree

Author: MITRE Center for Threat-Informed Defense

Description: This flow illustrates how to build an attack tree using Attack Flow Builder.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

FIN13 Case 1

Author: Mia Sanchez

Description: Attack by FIN13 against a Latin American bank

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

FIN13 Case 2

Author: Mia Sanchez

Description: Attack flow for the FIN13 campaign targeting a bank in Peru.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Gootloader

Author: Mia Sanchez

Description: Attack flow on the Gootloader payload distribution attack.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Hancitor DLL

Author: Eric Kannampuzha

Description: Attack flow on an intrusion using the Hancitor downloader.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Ivanti Vulnerabilities

Author: Mark Haase

Description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This flow describes an unnamed organization that is a Volexity customer.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

JP Morgan Breach

Author: Lauren Parker

Description: Attack flow on the 2014 JP Morgan breach.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

MITRE NERVE

Author: MITRE Center for Threat-Informed Defense

Description: A nation-state actor intrusion starting in Jan 2024. © 2024 The MITRE Corporation. Approved for public release. Document number CT0121.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Maastricht University Ransomware

Author: Joni Bimbashi

Description: In 2019, the Maastricht University was targeted by a ransomware attack. At least 267 internal servers were affected in this incident.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Mac Malware Steals Crypto

Author: Eric Kannampuzha

Description: Analysis of a malware family, OSX.DarthMiner, that targets MacOS.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Marriott Breach

Author: Lauren Parker

Description: A data breach at the Marriott hotel group in 2018.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Muddy Water

Author: Mia Sanchez

Description: Multiple campaigns attributed to an Iranian state-based actor.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

NotPetya

Author: Mia Sanchez

Description: Analysis of 2017 malware outbreak.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

OceanLotus

Author: Maggie MacAlpine

Description: OceanLotus Operations Flow

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

REvil

Author: Jackie Lasky

Description: Profile of a ransomware group

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Ragnar Locker

Author: Mia Sanchez

Description: Profile of a ransomware group

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

SWIFT Heist

Author: Lauren Parker

Description: A financial crime involving the SWIFT banking network.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

SearchAwesome Adware

Author: Lauren Parker

Description: SearchAwesome adware intercepts encrypted web traffic to inject ads

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Shamoon

Author: Lauren Parker

Description: Malware family targeting energy, government, and telecom in the middle east and europe.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

SolarWinds

Author: Lauren Parker

Description: A well-known supply chain attack against an Austin, TX software company.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Sony Malware

Author: Lauren Parker

Description: Attack flow on the malware believed to be behind the 2014 Sony breach.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Target Breach

Author: Lauren Parker

Description: Attack flow for the 2013 Target breach.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Tesla Kubernetes Breach

Author: Mark Haase

Description: A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Turla - Carbon Emulation Plan

Author: Lauren Parker

Description: The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 1 of the ATT&CK evaluations Round 5. This scenario focuses on Carbon, a second-stage backdoor and framework that targets Windows and Linux infrastructures and provides data exfiltration capabilities.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Turla - Snake Emulation Plan

Author: Lauren Parker

Description: The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 2 of the ATT&CK evaluations Round 5. This scenario focuses on Snake, a rootkit used to compromise computers and exfiltrate data.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Uber Breach

Author: Lauren Parker

Description: A breach at Uber by the Lapsus$ group.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

WhisperGate

Author: Mia Sanchez

Description: A Russian state-sponsored malware campaign targeting Ukraine.

Open: Attack Flow Builder

Download: Attack Flow | STIX | GraphViz (PNG) | Mermaid

Formats

Each Attack Flow is provided in multiple formats:

Attack Flow (.afb)

The format used for creating and editing in the Attack Flow Builder.

STIX (.json)

The machine-readable format for exchanging flows.

Graphviz (.dot)

An example of converting from Attack Flow to another graph format in order to take advantage of other tool ecosystems. Must install Graphviz to use this format, or use our pre-rendered Graphviz .png files.

Mermaid (.mmd)

Mermaid is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs can be embedded directly in GitHub Markdown files.

PNG (.png)

A rendering of the one of the above file formats into an image format.