Attack Flows v2 – How to Model and

Sequence Attacks
Lab Guide

Revision 2023.12.01
Table of Contents
Lab Exercise 1 – Reading and Reviewing Attack Flow ...................................................................................................... 3

Lab Exercise 2 – Creating Attack Flow from CTI .................................................................................................................. 4

2
 Lab Exercise 1 – Reading and Reviewing
Attack Flow
1. Open the Equifax Breach in Attack Flow Builder here.
2. Identify the following in the flow:
a. Action Objects
b. Condition Objects
c. Parallel Attack Paths
d. Operator Objects
e. Asset Objects
f. STIX Objects
3. Review the flow from beginning to end to understand how the attack was carried out
4. Return to the learning management system to answer questions based on the flow used in
this lab

3
 Lab Exercise 2 – Creating Attack Flow from
CTI
1. Create a new flow in the Attack Flow Builder here.
2. Below you will find an example cyber threat intelligence report.
3. Read through the report and add the necessary objects and pointers to create a flow in
Attack Flow Builder.

Threat Intelligence Report

Cyber Threat Intelligence Report: ShadowTech Group's Campaign Against FinTech Inc.

Executive Summary: This intelligence report outlines a complex cyber attack led by ShadowTech
Group against FinTech Inc. The group's main goal is data exfiltration, with a potential shift to more
disruptive activities like data encryption for impact. ShadowTech's approach is characterized by a
mix of direct tactics and alternative strategies, indicating a high level of adaptability and planning.

Attack Overview: The attack initiated with spear phishing (T1566) targeting employees of FinTech
Inc. In instances where spear phishing was ineffective, ShadowTech employed drive-by
compromises (T1189), exploiting web browser vulnerabilities to gain initial access. Once inside the
network, they utilized PowerShell (T1059.001) for command execution and Scripting (T1064) in
environments where PowerShell usage was restricted or monitored.

For persistence, ShadowTech set up scheduled tasks (T1053). They escalated their privileges by
exploiting system vulnerabilities (T1068) and, in more secure environments, resorted to
manipulating access tokens (T1134). To avoid detection, the group obfuscated their files and
information (T1027) and deployed rootkits (T1014) to maintain stealth.

Credential access was a key component of their strategy, focusing on credential dumping (T1003)
to gain access to user accounts. The group conducted system network configuration discovery
(T1016) to understand the network layout and identify additional targets. Lateral movement was
primarily achieved through Remote Services using SMB/Windows Admin Shares (T1021.002).

In terms of data collection, the malware harvested sensitive information from local systems
(T1005) and FinTech's email servers (T1114). The exfiltration phase involved sending collected data
over command and control channels (T1041). In the final phase, ShadowTech encrypted critical
files for impact (T1486), demanding ransom for decryption.

4
Conclusion: The ShadowTech Group's campaign against FinTech Inc. highlights their
capability to adapt and employ various techniques to achieve their objectives. Their
tactical flexibility, ranging from targeted phishing to sophisticated lateral movement and data
exfiltration, underscores the need for comprehensive and dynamic cybersecurity strategies.
FinTech Inc. must enhance its defensive measures and adopt proactive threat hunting practices
to mitigate the risks posed by such advanced threat actors.