Merge pull request #104 from center-for-threat-informed-defense/af161…

…-build-fixes AF-161 Fix Build
center-for-threat-informed-defense · Aug 31, 2023 · 77b26d2 · 77b26d2
2 parents 5c51a5c + 6aab2cb
commit 77b26d2
Show file tree

Hide file tree

Showing 47 changed files with 29,568 additions and 29,323 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -70,6 +70,11 @@ jobs:
         path: docs/extra/ui
     - name: Make Attack Flow schema
       run: poetry run make docs-schema
+    - name: Validate Corpus
+      env:
+        # Workaround for node.js bug: https://github.com/webpack/webpack/issues/14532
+        NODE_OPTIONS: "--openssl-legacy-provider"
+      run: poetry run make validate
     - name: Copy corpus into docs
       env:
         # Workaround for node.js bug: https://github.com/webpack/webpack/issues/14532

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -18,14 +18,12 @@ jobs:
       run: curl -sSL https://install.python-poetry.org/ | python -
     - name: Add Poetry to PATH
       run: echo "$HOME/.poetry/bin" >> $GITHUB_PATH
-    - name: Install dependencies
+    - name: Install Python dependencies
       run: poetry install
     - name: Check code formatting
       run: poetry run black --check src/attack_flow/
     - name: Run unit tests
       run: poetry run make test-ci
-    - name: Validate Corpus
-      run: poetry run make validate
     - name: Upload coverage to CodeCov
       uses: codecov/codecov-action@v1
       with:

diff --git a/Makefile b/Makefile
@@ -3,14 +3,15 @@ SOURCEDIR = docs/
 BUILDDIR = docs/_build/
 
 .PHONY: docs
-
 docs:
 	sphinx-build -M dirhtml "$(SOURCEDIR)" "$(BUILDDIR)"
 
-docs-examples:
+src/attack_flow_builder/dist/cli.common.js: src/attack_flow_builder/src/cli.ts
+	cd src/attack_flow_builder && env VUE_CLI_SERVICE_CONFIG_PATH="${ROOTDIR}src/attack_flow_builder/vue.cli.config.js" npx vue-cli-service build --target lib --name cli --formats commonjs --no-clean src/cli.ts
+
+docs-examples: src/attack_flow_builder/dist/cli.common.js
 	mkdir -p docs/extra/corpus
 	cp corpus/*.afb docs/extra/corpus
-	cd src/attack_flow_builder && env VUE_CLI_SERVICE_CONFIG_PATH="${ROOTDIR}src/attack_flow_builder/vue.cli.config.js" npx vue-cli-service build --target lib --name cli --formats commonjs --no-clean src/cli.ts
 	node src/attack_flow_builder/dist/cli.common.js --verbose corpus/*.afb
 	cp corpus/*.json docs/extra/corpus
 	ls -1 corpus/*.json | sed 's/corpus\/\(.*\)\.json/\1/' | xargs -t -I {} af graphviz "corpus/{}.json" "docs/extra/corpus/{}.dot"
@@ -41,7 +42,10 @@ test:
 test-ci:
 	pytest --cov=src/ --cov-report=xml
 
-validate:
+validate: src/attack_flow_builder/dist/cli.common.js
+	mkdir -p docs/extra/corpus
+	cp corpus/*.afb docs/extra/corpus
+	node src/attack_flow_builder/dist/cli.common.js --verbose corpus/*.afb
 	af validate \
 		stix/attack-flow-example.json \
 		corpus/*.json

diff --git a/README.md b/README.md
@@ -1,4 +1,6 @@
-[![build](https://github.com/center-for-threat-informed-defense/attack-flow/actions/workflows/build.yml/badge.svg)](https://github.com/center-for-threat-informed-defense/attack-flow/actions)
+[![MITRE ATT&CK® v13](https://img.shields.io/badge/MITRE%20ATT%26CK®-v13-red)](https://attack.mitre.org/versions/v13/)
+[![test](https://github.com/center-for-threat-informed-defense/attack-flow/actions/workflows/test.yml/badge.svg)](https://github.com/center-for-threat-informed-defense/attack-flow/actions/workflows/test.yml)
+[![build](https://github.com/center-for-threat-informed-defense/attack-flow/actions/workflows/build.yml/badge.svg)](https://github.com/center-for-threat-informed-defense/attack-flow/actions/workflows/build.yml)
 [![codecov](https://codecov.io/gh/center-for-threat-informed-defense/attack-flow/branch/main/graph/badge.svg?token=MSGpc9mM6U)](https://codecov.io/gh/center-for-threat-informed-defense/attack-flow)
 
 <!--
@@ -29,12 +31,12 @@ To get started, we suggest skimming the documentation to get familiar with the p
 your own attack flows using the Attack Flow Builder, which is an easy-to-use GUI tool. When you are ready to dive deep,
 review the Example Flows and JSON Schema for the language.
 
-| Resource                                                                                   | Description                                                              |
-| ------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
-| [Documentation](https://center-for-threat-informed-defense.github.io/attack-flow/) | Complete documentation for the Attack Flow project. |
-| [Attack Flow Builder](https://center-for-threat-informed-defense.github.io/attack-flow/ui/)                                                                        | An online GUI tool for building Attack Flows.                                    |
-| [JSON Schema](/stix/attack-flow-schema-2.0.0.json)                                   | The language specification expressed as a JSON Schema.                                      |
-| [Example Flows](/corpus/)                                                                  | A corpus of example Attack Flows.                                        |
+| Resource                                                                                    | Description                                            |
+| ------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
+| [Documentation](https://center-for-threat-informed-defense.github.io/attack-flow/)          | Complete documentation for the Attack Flow project.    |
+| [Attack Flow Builder](https://center-for-threat-informed-defense.github.io/attack-flow/ui/) | An online GUI tool for building Attack Flows.          |
+| [JSON Schema](/stix/attack-flow-schema-2.0.0.json)                                          | The language specification expressed as a JSON Schema. |
+| [Example Flows](/corpus/)                                                                   | A corpus of example Attack Flows.                      |
 
 ## Getting Involved
 

diff --git a/corpus/CISA AA22-138B VMWare Workspace (Alt).afb b/corpus/CISA AA22-138B VMWare Workspace (Alt).afb
diff --git a/corpus/CISA AA22-138B VMWare Workspace (TA1).afb b/corpus/CISA AA22-138B VMWare Workspace (TA1).afb
diff --git a/corpus/CISA AA22-138B VMWare Workspace (TA2).afb b/corpus/CISA AA22-138B VMWare Workspace (TA2).afb
diff --git a/corpus/CISA Iranian APT.afb b/corpus/CISA Iranian APT.afb
diff --git a/corpus/Cobalt Kitty Campaign.afb b/corpus/Cobalt Kitty Campaign.afb
diff --git a/corpus/Conti CISA Alert.afb b/corpus/Conti CISA Alert.afb
diff --git a/corpus/Conti PWC.afb b/corpus/Conti PWC.afb
diff --git a/corpus/Conti Ransomware.afb b/corpus/Conti Ransomware.afb
diff --git a/corpus/DFIR - BumbleBee Round 2.afb b/corpus/DFIR - BumbleBee Round 2.afb
diff --git a/corpus/Equifax Breach.afb b/corpus/Equifax Breach.afb
diff --git a/corpus/FIN13 Case 1.afb b/corpus/FIN13 Case 1.afb
diff --git a/corpus/FIN13 Case 2.afb b/corpus/FIN13 Case 2.afb
diff --git a/corpus/Gootloader.afb b/corpus/Gootloader.afb
diff --git a/corpus/Hancitor DLL.afb b/corpus/Hancitor DLL.afb
diff --git a/corpus/JP Morgan Breach.afb b/corpus/JP Morgan Breach.afb
diff --git a/corpus/Mac Malware Steals Crypto.afb b/corpus/Mac Malware Steals Crypto.afb
diff --git a/corpus/Marriott Breach.afb b/corpus/Marriott Breach.afb
diff --git a/corpus/Muddy Water.afb b/corpus/Muddy Water.afb
diff --git a/corpus/NotPetya.afb b/corpus/NotPetya.afb
diff --git a/corpus/Ragnar Locker.afb b/corpus/Ragnar Locker.afb
diff --git a/corpus/SWIFT Heist.afb b/corpus/SWIFT Heist.afb
diff --git a/corpus/SearchAwesome Adware.afb b/corpus/SearchAwesome Adware.afb
diff --git a/corpus/SearchAwesome_Adware.afb b/corpus/SearchAwesome_Adware.afb
diff --git a/corpus/Shamoon.afb b/corpus/Shamoon.afb
diff --git a/corpus/SolarWinds.afb b/corpus/SolarWinds.afb
diff --git a/corpus/Sony Malware.afb b/corpus/Sony Malware.afb
diff --git a/corpus/Target Breach.afb b/corpus/Target Breach.afb
diff --git a/corpus/Tesla Kubernetes Breach.afb b/corpus/Tesla Kubernetes Breach.afb
diff --git a/corpus/Uber Breach.afb b/corpus/Uber Breach.afb
diff --git a/corpus/WhisperGate.afb b/corpus/WhisperGate.afb
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -2,11 +2,11 @@ version: '3.8'
 
 services:
   attack-flow:
-    image: ghcr.io/center-for-threat-informed-defense/attack-flow:main
+    image: ghcr.io/center-for-threat-informed-defense/attack-flow:latest
     ## Uncomment this to use the local Dockerfile instead of the official image
     #build:
     #  context: .
     #  dockerfile: ./Dockerfile
     ports:
-      - 8081:80
-    restart: always
+      - 8080:80
+    restart: always
diff --git a/docs/example_flows.rst b/docs/example_flows.rst
@@ -30,7 +30,7 @@ Mermaid (.mmd)
 List of Examples
 ----------------
 
-.. EXAMPLE_FLOWS Generated by `af` tool at 2023-03-28T20:52:43.236877Z
+.. EXAMPLE_FLOWS Generated by `af` tool at 2023-08-30T22:09:45.871628Z
 
 .. list-table::
   :widths: 30 20 50
@@ -57,6 +57,15 @@ List of Examples
     - Lauren Parker
     - Threat Actor 1 exploited VMWare Workspace ONE Access through various methods
 
+  * - **CISA AA22-138B VMWare Workspace (TA2)**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fCISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.json">JSON</a> | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.dot">GraphViz</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.dot.png">PNG</a>) | <a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.mmd">Mermaid</a> (<a href="../corpus/CISA%20AA22-138B%20VMWare%20Workspace%20%28TA2%29.mmd.png">PNG</a>)
+    - Lauren Parker
+    - Threat Actor 2 exploited VMWare Workspace ONE Access through various methods
+
   * - **CISA Iranian APT**
 
       .. raw:: html
@@ -93,6 +102,24 @@ List of Examples
     - Dr. Desiree Beck
     - Conti ransomware flow based on PWC report.
 
+  * - **Conti Ransomware**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fConti%20Ransomware.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Conti%20Ransomware.json">JSON</a> | <a href="../corpus/Conti%20Ransomware.dot">GraphViz</a> (<a href="../corpus/Conti%20Ransomware.dot.png">PNG</a>) | <a href="../corpus/Conti%20Ransomware.mmd">Mermaid</a> (<a href="../corpus/Conti%20Ransomware.mmd.png">PNG</a>)
+    - Alaa Nasser
+    - Based on DFIR report
+
+  * - **DFIR - BumbleBee Round 2**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fDFIR%20-%20BumbleBee%20Round%202.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.json">JSON</a> | <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.dot">GraphViz</a> (<a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.dot.png">PNG</a>) | <a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.mmd">Mermaid</a> (<a href="../corpus/DFIR%20-%20BumbleBee%20Round%202.mmd.png">PNG</a>)
+    - Kevin Lo
+    - A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022 
+
   * - **Equifax Breach**
 
       .. raw:: html
@@ -102,6 +129,15 @@ List of Examples
     - Lauren Parker
     - Attack flow on the 2017 Equifax breach.
 
+  * - **FIN13 Case 1**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fFIN13%20Case%201.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/FIN13%20Case%201.json">JSON</a> | <a href="../corpus/FIN13%20Case%201.dot">GraphViz</a> (<a href="../corpus/FIN13%20Case%201.dot.png">PNG</a>) | <a href="../corpus/FIN13%20Case%201.mmd">Mermaid</a> (<a href="../corpus/FIN13%20Case%201.mmd.png">PNG</a>)
+    - Mia Sanchez
+    - Attack by FIN13 against a Latin American bank
+
   * - **FIN13 Case 2**
 
       .. raw:: html
@@ -111,6 +147,15 @@ List of Examples
     - Mia Sanchez
     - Attack flow for the FIN13 campaign targeting a bank in Peru. 
 
+  * - **Gootloader**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fGootloader.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Gootloader.json">JSON</a> | <a href="../corpus/Gootloader.dot">GraphViz</a> (<a href="../corpus/Gootloader.dot.png">PNG</a>) | <a href="../corpus/Gootloader.mmd">Mermaid</a> (<a href="../corpus/Gootloader.mmd.png">PNG</a>)
+    - Mia Sanchez
+    - Attack flow on the Gootloader payload distribution attack.
+
   * - **Hancitor DLL**
 
       .. raw:: html
@@ -147,6 +192,15 @@ List of Examples
     - Lauren Parker
     - A data breach at the Marriott hotel group in 2018.
 
+  * - **Muddy Water**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMuddy%20Water.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Muddy%20Water.json">JSON</a> | <a href="../corpus/Muddy%20Water.dot">GraphViz</a> (<a href="../corpus/Muddy%20Water.dot.png">PNG</a>) | <a href="../corpus/Muddy%20Water.mmd">Mermaid</a> (<a href="../corpus/Muddy%20Water.mmd.png">PNG</a>)
+    - Mia Sanchez
+    - Multiple campaigns attributed to an Iranian state-based actor.
+
   * - **NotPetya**
 
       .. raw:: html
@@ -174,6 +228,24 @@ List of Examples
     - Lauren Parker
     - A financial crime involving the SWIFT banking network.
 
+  * - **SearchAwesome Adware**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fSearchAwesome%20Adware.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/SearchAwesome%20Adware.json">JSON</a> | <a href="../corpus/SearchAwesome%20Adware.dot">GraphViz</a> (<a href="../corpus/SearchAwesome%20Adware.dot.png">PNG</a>) | <a href="../corpus/SearchAwesome%20Adware.mmd">Mermaid</a> (<a href="../corpus/SearchAwesome%20Adware.mmd.png">PNG</a>)
+    - Lauren Parker
+    - SearchAwesome adware intercepts encrypted web traffic to inject ads
+
+  * - **Shamoon**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fShamoon.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Shamoon.json">JSON</a> | <a href="../corpus/Shamoon.dot">GraphViz</a> (<a href="../corpus/Shamoon.dot.png">PNG</a>) | <a href="../corpus/Shamoon.mmd">Mermaid</a> (<a href="../corpus/Shamoon.mmd.png">PNG</a>)
+    - Lauren Parker
+    - Malware family targeting energy, government, and telecom in the middle east and europe.
+
   * - **SolarWinds**
 
       .. raw:: html