Hopefully I haven't missed an obvious tooltip somewhere, but trying controls typically associated with click-and-drag object selection (e.g. holding down or while you drag your mouse to select objects) hasn't worked for me.

The best I can get is to hold and select multiple individual nodes, one by one. This becomes impractical when I've got a large graph that I need to re-orient or simply make space in to add missing actions that I find later in my analysis.

Attempting to design a user interface using this schema. And have a couple of questions:

The purpose of Object Properties is not clear, and none of the corpus json examples include any populated object properties. Can you provide an example of it's usage, along with a use case justification?

Also unsure on Logic Operators - how do they interact?

Related to #40, how does the community use the attack flow JSON files to publish quality diagrams, such as this one?

Are you able to share what tooling was used [to generate this]?
Edit (opening question is still valid): Found the answer. They were manually(?) generated drawio diagrams (e.g. https://github.com/center-for-threat-informed-defense/attack-flow/blob/main/data/action-object-tesla.drawio).

In the attack_flow_builder directory

s/b

In the attack_flow_designer directory

Hi:
Noticed the atomic-red-team has a command field for attack detail.
eg:

  input_arguments:
    executable_binary:
      description: Binary to execute with UAC Bypass
      type: Path
      default: C:\Windows\System32\cmd.exe
  executor:
    command: |
      reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
      cmd.exe /c eventvwr.msc
    cleanup_command: |
      reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1

Looks like attack-flow do not have this fileds. It is hard to do a real test on a target machine.

It is a bug or a feature?
Any help will be appreciated.
Thanks!

Attempting to type input to any of the fields results in the string being entered in reverse. E.g. typing "Initial Access" causes it to appear as:

This isn't happening anywhere else in my OS or browser, so I can only assume this is a behaviour of the platform. If so, is there a way to disable this, or is this a bug somehow?

It would be useful to be able to have pre-built schemas for common tool outputs, such as from Volatility modules, Eric Zimmerman's suite of tools, popular open-source forensics tools (AmcacheParser, appcompatprocessor.py, etc...) frameworks (like Kansa PowerShell IR Framework, etc...), and suites (Sysinternals Suite [Autorunsc.exe, Sysmon, etc...]). The schemas would allow for the forensic outputs to marry together on one graph database, which would be SUPER useful. Instead of endless spreadsheets to cipher through, an ability to aggregate the data into one common operating picture would take forensics analysis to another level.

Obviously, there would be a ton of links and nodes (and associated attributres!), but that is for the end user to figure out in terms of processing. I for one think that is a good problem to have and a tremendous step in the right direction.

Hi,
We wonder what are the guidelines for using the "OR" operator when constructing an attack flow with parallel attack paths as we have seen two different ways to build an attack flow with this operator.

The first way follows the semantics of the "OR" operator. This means that we should use the "OR" operator only when we reach the end of parallel attack paths (source: https://center-for-threat-informed-defense.github.io/attack-flow/introduction/#operator-objects). Such an example is depicted in the figure just below.

The second way is to add an "OR" operator before starting to split the flow into parallel attack flows, while still having an "OR" operator at the end of these parallel attack flows to combine them again. Such an example is shown in the figure just below and also available in the Conti CISA Alert example (see https://center-for-threat-informed-defense.github.io/attack-flow/ui/?src=..%2fcorpus%2fConti%20CISA%20Alert.afb).

In this alternative, we can assume that the authors just wanted to explicitly emphasize that they have parallel attack flows, right?

So what is the best way to draw parallel attack flows with the "OR" operator?

Hello,
As part of a research project, we developed several attack flows using the builder tool and then saved those as json format. Now, we cannot visualize or edit the flows in the builder tool because the open file option of the builder tool only accepts afb formats.

We have also looked at the documentation to find if we can convert json to afb programmatically, but no luck. Only thing we found that is validating json files and converting json files to dotm or SVG formats.

How can we reuse the json files? Any help or suggestions?

Thanks in advance.

Currently there is a "reference" field which may link to a ATT&CK ID, but there is no way to link to the normative MITRE STIX objects for ATT&CK. A field or relationship should be added to that one can create this linkage in some way, because there is currently no way to look up the STIX object for an ATT&CK technique ID programatically.

I think there should be changes to the Windows Registry Key. For instance, this is how I would put in a Windows Registry Key; however, this gives an error.

Oftentimes, reports just have the location of the registry key (in this example, HKEY_CURRENT_USER\Control Panel\Desktop) and not any of the value information.

The way to put in a Registry Key and not get an error is to do this:

However, this looks like you haven’t put in anything for the Registry Key in the overall flow (you have to click in to the Registry Key node then expand the Values section to actually see the registry key). My suggestion – don’t require the “Value” section to have any data to be a correct flow (to not throw an error), just the “Key” section, especially since many reports may not include information on the Values, just to modify registry key.

Hi. There is a little error that may impact with STIX integration. The property "pattern_version" is implemented as "patter_version".

I was going to propose a change with a pull request but I don't know if it would have an impact on the flows already built. I hope you can fix this bug.

https://github.com/center-for-threat-informed-defense/attack-flow/blob/7904d44ff755e8b3672a85d72f0848a61327edfa/src/attack_flow_builder/src/assets/configuration/builder.config.ts#L337C12-L337C82

This page https://center-for-threat-informed-defense.github.io/attack-flow/builder/ takes me to this repo and the link said that if I don't want to use docker, I can download the Attack_Flow_builder.zip from the release page, but I don't see that file. Can you provide one?

Hey all, I have been attempting to get started with this project and used this step by step: https://github.com/center-for-threat-informed-defense/attack-flow

Here are the steps I have done:

• cloned the repo: https://github.com/center-for-threat-informed-defense/attack-flow
• ran the following commands in the folder of the cloned repo:
  • python3 -m venv .venv
  • source .venv/bin/activate
  • pip install -r requirements/requirements.txt
  • pip install -r requirements/test-requirements.txt
  • make

Once I run make, I get an error saying "Error while finding module specification for 'attack_flow.scripts.validate_doc' (ModuleNotFoundError: No module named 'attack_flow')
make: *** [precommit] Error 1"

What am I doing wrong?

Also, I see that you can load in .afd files in the index.html to design a flow, and also make your own. You can publish these as .json to be ran, but what folder must these .json flows live in to be ran? Is it ran with the make command from above?

The docker-compose.yml workflow runs against the :latest tag for the docker image, and the workflow does not depend on the execution of the docker.yml workflow. So it's really testing some previous version of the docker image, not the one associated with the current PR/commit.

We probably need to merge the docker-compose test into the docker workflow in such a way that it runs after the image is successfully built. (And be sure to use the correct tag -- I'm not sure if our docker build updates the :latest tag or not.)

Currently the "reference" data type says

"A reference for the action. May be a URL to an ATT&CK technique."

Because this is a "MAY", there is currently no way to know in code if it is actually a technique ID or not.

I would suggest that reference should always point at the ATT&CK technique if it is present. Otherwise, a new field should be added to this object to convey that information. Code that consumes this object needs a consistent way to know which technique ID is being referred to.

I understand the docs already mention that this is a focus for a future release, so I guess I am curious where the state of this is and if we can expect this soon? Are contributions on this feature desired from the community?

Problem: I lost a few hours of work today because I forgot to File-->Save and retain a copy of the AFB locally. I knew the risks, gambled, and lost my progress building out an attack flow. It's really easy to accidentally close a tab.

Proposed solution: I understand this project wants to keep user data client side, and I think that's great. But I would love for a more robust option rather than having to remember to save copies of my work every few minutes.

• Idea: allow the user to consent/opt-in to store AFB data client side in the browser, such as in local storage. If a user closes their tab, re-opening the UI would pull the data from local storage and they can continue editing.
• Idea: allow a flag to be set on the Docker container that would save progress to a volume/mount. This way my data is always updating on my disk without me having to click save, then it makes it easy for me to track with git. Obviously this option isn't enabled for the public UI, but if users want this option they can run the container locally and configure it as such.

RELATED, but different suggestion (if you want me to move this to another issue, LMK):

Make it painfully clear in the documentation that saving the JSON (File-->Publish) is not enough to save your data to continue editing it later. If I try to open a JSON file in the UI, nothing shows up because it is not the required data format (.AFB). Maybe even have a popup on the UI warn a user that when they upload a JSON file that it is the wrong format. My first time using the tool I was a bit confused between Publish and Save. Perhaps even consolidate Save and Publish into one option that downloads both files at the same time.

Adding auto-complete for the technique ID field of Action objects would help immensely, as it not only makes it easier to cite Techniques, but also ensures they're consistent and not subject to typos.

Being able to add multiple Techniques to a single Action object would also be helpful - though I understand if your view is that this isn't in keeping with the design intent of this project.

It would be useful for my particular use case, though. See below for an example:

In visualising a long and complex intrusion, breaking each Technique into its own Action object would result in a sprawling diagram that would be hard to navigate.

My preference is to use the Name field to describe distinct stages of the intrusion, elaborating in the Description field while also inserting the relevant Technique IDs. In doing so I can condense multi-staged attack paths into more compact diagrams, broken up by milestones in the intrusion.

Hi,

Using the latest version (commit a3800be134c07d8aa281b85fa6d83df3121c3446) I have the following error:

Uncaught TypeError: crypto.randomUUID is not a function
    at new n (DiagramObjectModel.ts:98:49)
    at new y (DiagramRootModel.ts:37:9)
    at new S (PageModel.ts:48:9)
    at S.createDummy (PageModel.ts:65:16)
    at L.createDummy (PageEditor.ts:104:43)
    at Module.cd49 (ApplicationStore.ts:13:30)
    at l (bootstrap:89:22)
    at 0 (app.63248f86.js:1:3257)
    at l (bootstrap:89:22)
    at i (bootstrap:45:15)

I am deploying attack-flow via the provided dockerfile.

Also, are you going to publish stables docker images on dockerhub ?

Thanks

Hello,
The project is really interesting !
To be honest, I could already see myself confronting my entire CTI database with this project, in order to convert my data from lists to graphs.
Knowing that this quote is positioned as a preamble to the Project Overview, I thought it would be possible to import my TTP lists automatically, and then finish the graphs manually (in an 80/20 approach).

However, I have not found how to import a STIX bundle directly into the Builder engine.
I'm obviously thinking of a classic STIX bundle, i.e. not containing the custom ATT&CK objects, like the APT1 bundle: https://github.com/oasis-open/cti-documentation/blob/main/examples/example_json/apt1.json

Am I doing something wrong or is it not possible to import such bundles at this time?
My database contains 300+ STIX bundles, with the TTPs defined in lists. Importing each bundle manually will take me forever, knowing that it takes between 20 and 40 TTPs each time.

Hello, we are looking for a solution to build and model Attack Defense Trees.

We discovered Attack Flow at the EU MITRE ATT&CK® Community Workshop X. We are wondering if it would make sense to extend Attack Flow to include the Defense aspects.

The ability to perform keyword searches of afb diagrams is essential, especially for larger attack chains.

At a minimum, being able to search by key fields/objects such as Technique ID, Asset, Tool or Malware objects would be immensely useful.

When running the graphviz script the Action nodes are coming out correctly labelled using the Name field but not the Asset nodes. Asset nodes are all labelled "http://flow-1/asset-##" where ## is a unique incremental value, starting with "1" and counting up for all of the Assets given; State is not used at all. I am not able to get any Object Property Target, nor Data Property to even show up on the graph in any way, let alone their Target value. Relationship flows are also not showing up with the output. e.g. if I put a Relationship from an Asset to an Action with the Type set to "State", nothing shows up on the graph, at least not that I can discern.

I've looked at the JSON output from the attack_flow_designer tool and the the "http://flow-1/asset-##" is coming from the "id: " of the assets list. It's obvious that I can modify the graphviz.py script to get a different output (as can be seen below in the addition of ",label="{asset["state"]}"") but the question is should I? Am I doing something wrong?

def convert(attack_flow):
"""
Convert an Attack Flow object into Graphviz format.
"""
graph = ["digraph {"]
graph.extend([f' "{act["id"]}" [shape=box,label="{act["name"]}"]' for act in attack_flow['actions']])
graph.append("")
graph.extend([f' "{asset["id"]}" [shape=oval,label="{asset["state"]}"]' for asset in attack_flow['assets']])
graph.append("")
graph.extend([f' "{rel["source"]}" -> "{rel["target"]}"' for rel in attack_flow['relationships']])
graph.append("}")
return "\n".join(graph)

Hi,
I am real impressed with your initiative. I have wondered for some time why cyber-security doesn't capture temporal sequences, and thereby ignores tools such as process mining. Anyway, I really like how you are using the ATT&CK classification, and mapping it to a flow chart. This is brilliant.

The massive, missing piece in this repo is that this is useless for any using Stix-centric tools. Like most doing ATT&CK-centric development. I follow the advice of the MITRE people, and use their method to load data, as shown here (https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md). This uses the OASIS Stix2 python library to load the ATT&CK objects in Stix format, and apparently this is the approach recommended by MITRE. Thus I have built an open source, bi-directional STIX <-> TypeDB ORM on this OASIS STix2 library.

Yet i find that this worthy extension to MITRE does not support Stix, and pursues an independent RDF/OWL schema. Now, i am happy to develop an equivalent TypeQL schema and rule set for Vaticle TypeDB, this seems trivial, and is frankly better than rdf/owl (my opinion). But there is no point doing so, because I cannot map the Attack-flow to my existing Stix schema, so its an information island.

In short, without a valid intersection with Stix, this repo unfortunately does seem like a white elephant.

Let me know when this changes, as I can start adding your stuff in immediately. Process mining is a missing piece, so temporal evaluation is critical.

Keep going, please get Stix2 interface sorted

Note that there is some inconsistencies with the temporal sequencing implied by your example Tesla diagram, and your data model. So, at the moment only the action has a timestamp, yet its consequences do not. One can have a temporal sequence diagram with annotations, like your green boxes, yet it seems like the temporal nature is not fully specified. Consider annotating assets with a consequential time at which they were exposed, and also considering extending it to a start and end time, where if there is only one value available, it is deemed the start time

When working on the flow chart and creating an "action", the Tactic IDs and Technique IDs are all available through an autocomplete drop down menu which is great.

As an iteration over this feature, it would be quite useful to add an auto-filtering/highlighting feature: When a Tactic ID is selected, only the relevant Technique IDs would be shown (or highlighted, leaving the others visible as well) in the related Technique IDs drop down values.

Thanks and well done for this attack flow app!

In AFD under your browser there's no way to re-orient the tree. While simple ATT&CK Flows are not an issue, complex ones become very cumbersome and a significant challenge to work with via the browser and keeping it organized. Adding a function to sort or re-organize the tree in order to better group the branches and leaves would help a lot.

Alternatively, have you considered using Modelio or some other Open source modelling software that supports tree organizing? That might be more sustainable for the long run.

If the timestamp fields are left blank, then the Designer will export actions with "timestamp":"" fields, but this is not valid against the current spec. We will update the spec in the next few months, but for the time being the quickest workaround is to modify the Designer's export logic.

See PR #38 as an example.

The current browser based technique for documenting the ATT&CK Flows has basically no function for orienting or re-balancing the "diagram". Have you considered using Modelio instead of browser based?
https://www.modelio.org/. Long term that may be easier to work with