Fix build

- Fix broken python test - Add workaround for using Browser.ts in non-browser context - Run `make docs-examples` to update example_flows.rst
center-for-threat-informed-defense · Aug 31, 2023 · 71139f2 · 71139f2
1 parent f0204a4
commit 71139f2
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 19 deletions.
diff --git a/docs/example_flows.rst b/docs/example_flows.rst
@@ -30,7 +30,7 @@ Mermaid (.mmd)
 List of Examples
 ----------------
 
-.. EXAMPLE_FLOWS Generated by `af` tool at 2023-03-28T20:52:43.236877Z
+.. EXAMPLE_FLOWS Generated by `af` tool at 2023-08-30T22:09:45.871628Z
 
 .. list-table::
   :widths: 30 20 50
@@ -57,6 +57,15 @@ List of Examples
     - Lauren Parker
     - Threat Actor 1 exploited VMWare Workspace ONE Access through various methods
 
+  * - **CISA AA22-138B VMWare Workspace (TA2)**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fCISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.json">JSON</a> | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.dot">GraphViz</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.dot.png">PNG</a>) | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.mmd">Mermaid</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.mmd.png">PNG</a>)
+    - Lauren Parker
+    - Threat Actor 2 exploited VMWare Workspace ONE Access through various methods
+
   * - **CISA Iranian APT**
 
       .. raw:: html
@@ -93,6 +102,24 @@ List of Examples
     - Dr. Desiree Beck
     - Conti ransomware flow based on PWC report.
 
+  * - **Conti Ransomware**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fConti%20Ransomware.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Conti%20Ransomware.json">JSON</a> | <a href="../corpus/Conti%20Ransomware.dot">GraphViz</a> (<a href="../corpus/Conti%20Ransomware.dot.png">PNG</a>) | <a href="../corpus/Conti%20Ransomware.mmd">Mermaid</a> (<a href="../corpus/Conti%20Ransomware.mmd.png">PNG</a>)
+    - Alaa Nasser
+    - Based on DFIR report
+
+  * - **DFIR - BumbleBee Round 2**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fDFIR%20-%20BumbleBee%20Round%202.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.json">JSON</a> | <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.dot">GraphViz</a> (<a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.dot.png">PNG</a>) | <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.mmd">Mermaid</a> (<a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.mmd.png">PNG</a>)
+    - Kevin Lo
+    - A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022 
+
   * - **Equifax Breach**
 
       .. raw:: html
@@ -102,6 +129,15 @@ List of Examples
     - Lauren Parker
     - Attack flow on the 2017 Equifax breach.
 
+  * - **FIN13 Case 1**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fFIN13%20Case%201.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/FIN13%20Case%201.json">JSON</a> | <a href="../corpus/FIN13%20Case%201.dot">GraphViz</a> (<a href="../corpus/FIN13%20Case%201.dot.png">PNG</a>) | <a href="../corpus/FIN13%20Case%201.mmd">Mermaid</a> (<a href="../corpus/FIN13%20Case%201.mmd.png">PNG</a>)
+    - Mia Sanchez
+    - Attack by FIN13 against a Latin American bank
+
   * - **FIN13 Case 2**
 
       .. raw:: html
@@ -111,6 +147,15 @@ List of Examples
     - Mia Sanchez
     - Attack flow for the FIN13 campaign targeting a bank in Peru. 
 
+  * - **Gootloader**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fGootloader.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Gootloader.json">JSON</a> | <a href="../corpus/Gootloader.dot">GraphViz</a> (<a href="../corpus/Gootloader.dot.png">PNG</a>) | <a href="../corpus/Gootloader.mmd">Mermaid</a> (<a href="../corpus/Gootloader.mmd.png">PNG</a>)
+    - Mia Sanchez
+    - Attack flow on the Gootloader payload distribution attack.
+
   * - **Hancitor DLL**
 
       .. raw:: html
@@ -147,6 +192,15 @@ List of Examples
     - Lauren Parker
     - A data breach at the Marriott hotel group in 2018.
 
+  * - **Muddy Water**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMuddy%20Water.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Muddy%20Water.json">JSON</a> | <a href="../corpus/Muddy%20Water.dot">GraphViz</a> (<a href="../corpus/Muddy%20Water.dot.png">PNG</a>) | <a href="../corpus/Muddy%20Water.mmd">Mermaid</a> (<a href="../corpus/Muddy%20Water.mmd.png">PNG</a>)
+    - Mia Sanchez
+    - Multiple campaigns attributed to an Iranian state-based actor.
+
   * - **NotPetya**
 
       .. raw:: html
@@ -174,6 +228,24 @@ List of Examples
     - Lauren Parker
     - A financial crime involving the SWIFT banking network.
 
+  * - **SearchAwesome Adware**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fSearchAwesome%20Adware.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/SearchAwesome%20Adware.json">JSON</a> | <a href="../corpus/SearchAwesome%20Adware.dot">GraphViz</a> (<a href="../corpus/SearchAwesome%20Adware.dot.png">PNG</a>) | <a href="../corpus/SearchAwesome%20Adware.mmd">Mermaid</a> (<a href="../corpus/SearchAwesome%20Adware.mmd.png">PNG</a>)
+    - Lauren Parker
+    - SearchAwesome adware intercepts encrypted web traffic to inject ads
+
+  * - **Shamoon**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fShamoon.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Shamoon.json">JSON</a> | <a href="../corpus/Shamoon.dot">GraphViz</a> (<a href="../corpus/Shamoon.dot.png">PNG</a>) | <a href="../corpus/Shamoon.mmd">Mermaid</a> (<a href="../corpus/Shamoon.mmd.png">PNG</a>)
+    - Lauren Parker
+    - Malware family targeting energy, government, and telecom in the middle east and europe.
+
   * - **SolarWinds**
 
       .. raw:: html

diff --git a/src/attack_flow_builder/src/assets/scripts/Browser.ts b/src/attack_flow_builder/src/assets/scripts/Browser.ts
@@ -9,7 +9,10 @@ class DeviceManager extends EventEmitter<{
      */
     constructor() {
         super();
-        this.listenForPixelRatioChange();
+        if (typeof document !== "undefined") {
+            this.listenForPixelRatioChange();
+            this._aLink = document.createElement("a");
+        }
     }
 
 
@@ -21,7 +24,7 @@ class DeviceManager extends EventEmitter<{
     /**
      * The internal download link used to initiate downloads.
      */
-    private static _aLink = document.createElement("a");
+    private _aLink?: HTMLAnchorElement;
 
     /**
      * Downloads a text file.
@@ -34,12 +37,14 @@ class DeviceManager extends EventEmitter<{
      *  (Default: 'txt')
      */
     public downloadTextFile(filename: string, text: string, ext = "txt") {
-        let blob = new Blob([text], { type: "octet/stream" });
-        let url = window.URL.createObjectURL(blob);
-        DeviceManager._aLink.href = url;
-        DeviceManager._aLink.download = `${ filename }.${ ext }`;
-        DeviceManager._aLink.click();
-        window.URL.revokeObjectURL(url);
+        if (this._aLink) {
+            let blob = new Blob([text], { type: "octet/stream" });
+            let url = window.URL.createObjectURL(blob);
+            this._aLink.href = url;
+            this._aLink.download = `${ filename }.${ ext }`;
+            this._aLink.click();
+            window.URL.revokeObjectURL(url);
+        }
     }
 
     /**
@@ -51,14 +56,16 @@ class DeviceManager extends EventEmitter<{
      */
     public downloadImageFile(filename: string, canvas: HTMLCanvasElement) {
         canvas.toBlob(blob => {
-            if(!blob)
-                return;
-            let url = window.URL.createObjectURL(blob);
-            DeviceManager._aLink.href = url;
-            DeviceManager._aLink.download = `${ filename }.png`
-            DeviceManager._aLink.click();
-            window.URL.revokeObjectURL(url);
-        }, "image/octet-stream")
+            if (this._aLink) {
+                if(!blob)
+                    return;
+                let url = window.URL.createObjectURL(blob);
+                this._aLink.href = url;
+                this._aLink.download = `${ filename }.png`
+                this._aLink.click();
+                window.URL.revokeObjectURL(url);
+            }
+        }, "image/octet-stream");
     }
 
 

diff --git a/tests/test_schema.py b/tests/test_schema.py
@@ -349,11 +349,15 @@ def test_invalid_ref():
         assert len(result.messages) == 2
         assert (
             str(result.messages[0])
-            == "[error] attack-foobar--168a4027-1572-492b-a80b-8eb01954afb3: 'attack-foobar--168a4027-1572-492b-a80b-8eb01954afb3' does not match '^(attack-action|attack-condition)--'"
+            == "[error] attack-foobar--168a4027-1572-492b-a80b-8eb01954afb3: "
+            "'attack-foobar--168a4027-1572-492b-a80b-8eb01954afb3' does not match "
+            "'^(attack-action|attack-condition)--'"
         )
         assert (
             str(result.messages[1])
-            == "[error] Unable to parse this flow as STIX 2.1 (maybe as a result of previous errors)"
+            == "[error] Unable to parse this flow as STIX 2.1: Invalid value for AttackFlow 'start_refs': "
+            "The type-specifying prefix 'attack-foobar' for this property is not one of the valid types "
+            "for this property: attack-action, attack-condition."
         )