Expand description
MITRE ATT&CK Flow — campaign graph layer.
Models adversary campaigns as directed sequences of ATT&CK actions, each mapped to the forensicnomicon artifact IDs that provide evidence of that action. Flow data is sourced from the CTID Attack Flow corpus: https://github.com/center-for-threat-informed-defense/attack-flow/tree/main/corpus
§Data model
An AttackFlow is a named campaign scenario (e.g. ransomware, APT lateral
movement). It contains an ordered sequence of FlowAction steps. Each
step carries:
- the ATT&CK technique it represents
- the forensicnomicon artifact IDs that provide evidence of it
- indices into the action list for successor steps (causal edges)
§Example
use forensicnomicon::attack_flow::{flow_by_id, artifacts_in_flow};
let flow = flow_by_id("black_basta_ransomware").unwrap();
let artifacts = artifacts_in_flow("black_basta_ransomware");
assert!(!artifacts.is_empty());Structs§
- Attack
Flow - A named adversary campaign scenario modelled as an ordered action graph.
- Flow
Action - A single action in an attack flow — one ATT&CK technique and the forensicnomicon artifact IDs that provide evidence of it.
Functions§
- all_
flows - Return all available attack flows.
- artifacts_
in_ flow - Collect all unique artifact IDs referenced across all actions in a flow.
- flow_
by_ id - Look up a campaign flow by its stable
id. - flows_
for_ artifact - Return all flows that reference
artifact_idin at least one action. - flows_
for_ technique - Return all flows that contain an action for
technique_id. - is_
technique_ in_ known_ campaign - Returns
trueif the given ATT&CK technique ID appears in any flow in the CTID corpus.