Tweak the attack tree example so that it passes validation

center-for-threat-informed-defense · Jul 9, 2024 · bf5a3f6 · bf5a3f6
1 parent a4620fe
commit bf5a3f6
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 2 deletions.
diff --git a/corpus/Attack Tree Example.afb b/corpus/Attack Tree Example.afb
diff --git a/corpus/Example Attack Tree.afb b/corpus/Example Attack Tree.afb
diff --git a/docs/example_flows.rst b/docs/example_flows.rst
@@ -30,7 +30,7 @@ Mermaid (.mmd)
 List of Examples
 ----------------
 
-.. EXAMPLE_FLOWS Generated by `af` tool at 2023-08-30T22:09:45.871628Z
+.. EXAMPLE_FLOWS Generated by `af` tool at 2024-07-09T15:42:30.934512Z
 
 .. list-table::
   :widths: 30 20 50
@@ -129,6 +129,15 @@ List of Examples
     - Lauren Parker
     - Attack flow on the 2017 Equifax breach.
 
+  * - **Example Attack Tree**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fExample%20Attack%20Tree.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Example%20Attack%20Tree.json">JSON</a> | <a href="../corpus/Example%20Attack%20Tree.dot">GraphViz</a> (<a href="../corpus/Example%20Attack%20Tree.dot.png">PNG</a>) | <a href="../corpus/Example%20Attack%20Tree.mmd">Mermaid</a> (<a href="../corpus/Example%20Attack%20Tree.mmd.png">PNG</a>)
+    - Center for Threat-Informed Defense
+    - This flow illustrates how to build an attack tree using Attack Flow Builder.
+
   * - **FIN13 Case 1**
 
       .. raw:: html
@@ -165,6 +174,15 @@ List of Examples
     - Eric Kannampuzha
     - Attack flow on an intrusion using the Hancitor downloader.
 
+  * - **Ivanti Vulnerabilities**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fIvanti%20Vulnerabilities.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Ivanti%20Vulnerabilities.json">JSON</a> | <a href="../corpus/Ivanti%20Vulnerabilities.dot">GraphViz</a> (<a href="../corpus/Ivanti%20Vulnerabilities.dot.png">PNG</a>) | <a href="../corpus/Ivanti%20Vulnerabilities.mmd">Mermaid</a> (<a href="../corpus/Ivanti%20Vulnerabilities.mmd.png">PNG</a>)
+    - Mark Haase
+    - A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This flow describes an unnamed organization that is a Volexity customer.
+
   * - **JP Morgan Breach**
 
       .. raw:: html
@@ -174,6 +192,24 @@ List of Examples
     - Lauren Parker
     - Attack flow on the 2014 JP Morgan breach.
 
+  * - **MITRE NERVE**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMITRE%20NERVE.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/MITRE%20NERVE.json">JSON</a> | <a href="../corpus/MITRE%20NERVE.dot">GraphViz</a> (<a href="../corpus/MITRE%20NERVE.dot.png">PNG</a>) | <a href="../corpus/MITRE%20NERVE.mmd">Mermaid</a> (<a href="../corpus/MITRE%20NERVE.mmd.png">PNG</a>)
+    - Center for Threat-Informed Defense
+    - A nation-state actor intrusion starting in Jan 2024. © 2024 MITRE Engenuity. Approved for public release. Document number CT0121.
+
+  * - **Maastricht University Ransomware**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fMaastricht%20University%20Ransomware.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Maastricht%20University%20Ransomware.json">JSON</a> | <a href="../corpus/Maastricht%20University%20Ransomware.dot">GraphViz</a> (<a href="../corpus/Maastricht%20University%20Ransomware.dot.png">PNG</a>) | <a href="../corpus/Maastricht%20University%20Ransomware.mmd">Mermaid</a> (<a href="../corpus/Maastricht%20University%20Ransomware.mmd.png">PNG</a>)
+    - Joni Bimbashi
+    - In 2019, the Maastricht University was targeted by a ransomware attack. At least 267 internal servers were affected in this incident.
+
   * - **Mac Malware Steals Crypto**
 
       .. raw:: html
@@ -210,6 +246,24 @@ List of Examples
     - Mia Sanchez
     - Analysis of 2017 malware outbreak.
 
+  * - **OceanLotus**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fOceanLotus.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/OceanLotus.json">JSON</a> | <a href="../corpus/OceanLotus.dot">GraphViz</a> (<a href="../corpus/OceanLotus.dot.png">PNG</a>) | <a href="../corpus/OceanLotus.mmd">Mermaid</a> (<a href="../corpus/OceanLotus.mmd.png">PNG</a>)
+    - Maggie MacAlpine
+    - OceanLotus Operations Flow 
+
+  * - **REvil**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fREvil.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/REvil.json">JSON</a> | <a href="../corpus/REvil.dot">GraphViz</a> (<a href="../corpus/REvil.dot.png">PNG</a>) | <a href="../corpus/REvil.mmd">Mermaid</a> (<a href="../corpus/REvil.mmd.png">PNG</a>)
+    - Jackie Lasky
+    - Profile of a ransomware group
+
   * - **Ragnar Locker**
 
       .. raw:: html
@@ -282,6 +336,24 @@ List of Examples
     - Mark Haase
     - A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.
 
+  * - **Turla - Carbon Emulation Plan**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fTurla%20-%20Carbon%20Emulation%20Plan.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.json">JSON</a> | <a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.dot">GraphViz</a> (<a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.dot.png">PNG</a>) | <a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.mmd">Mermaid</a> (<a href="../corpus/Turla%20-%20Carbon%20Emulation%20Plan.mmd.png">PNG</a>)
+    - Lauren Parker
+    - The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 1 of the ATT&CK evaluations Round 5. This scenario focuses on Carbon, a second-stage backdoor and framework that targets Windows and Linux infrastructures and provides data exfiltration capabilities.
+
+  * - **Turla - Snake Emulation Plan**
+
+      .. raw:: html
+
+        <p><em>Open:</em> <a target="_blank" href="../ui/?src=..%2fcorpus%2fTurla%20-%20Snake%20Emulation%20Plan.afb"></i>Attack Flow Builder</a></p>
+        <p><em>Download:</em> <a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.json">JSON</a> | <a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.dot">GraphViz</a> (<a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.dot.png">PNG</a>) | <a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.mmd">Mermaid</a> (<a href="../corpus/Turla%20-%20Snake%20Emulation%20Plan.mmd.png">PNG</a>)
+    - Lauren Parker
+    - The emulation plan, created by the ATT&CK ® Evaluations team, used during Day 2 of the ATT&CK evaluations Round 5. This scenario focuses on Snake, a rootkit used to compromise computers and exfiltrate data.
+
   * - **Uber Breach**
 
       .. raw:: html