Download Link

Overview - v1.0

This dataset consists of system logs generated by SAGA from various Advanced Persistent Threat (APT) attack scenarios, designed to support cybersecurity research. The scenarios in this dataset, which we refer to as Known APT Campaigns, are based on cyber threat intelligence reports from real-world APT campaigns. Each scenario reflects documented attack techniques and lifecycles. The dataset includes 5 APT campaigns based on real-world examples: Higaisa, APT28, CobaltGroup, Gamaredon, and Patchwork.

Known APT Campaign Information

Attack Steps:

Step 1. Initial Compromise

Step 2. Establishing Foothold

Step 3. Maintaining Presence

Step 4. Internal Reconnaissance

Step 5. Internal Reconnaissance

Step 6. Maintaining Presence

Step 7. Maintaining Presence

Techniques:

  • Phishing Attachment
  • Malicious File Execution
  • Registry Run Keys
  • System Information Discovery
  • System Network Configuration Discovery
  • Masquerade Task or Service
  • Scheduled Task

Event: 607,416

MalEvent: 0.005%

Attack Steps:

Step 1. Initial Compromise

Step 2. Establishing Foothold

Step 3. Establishing Foothold

Step 4. Internal Reconnaissance

Step 5. Internal Reconnaissance

Step 6. Complete Mission

Techniques:

  • Phishing Attachment
  • Web Protocols
  • Malicious File Execution
  • System Information Discovery
  • Data from Local System
  • Exfiltration Over Web Service

Event: 1,203,013

MalEvent: 1.175%

Attack Steps:

Step 1. Initial Compromise

Step 2. Establishing Foothold

Step 3. Internal Reconnaissance

Techniques:

  • Phishing Attachment
  • Remote Access Software
  • Network Service Discovery

Event: 961,920

MalEvent: 0.118%

Attack Steps:

Step 1. Initial Compromise

Step 2. Establishing Foothold

Step 3. Establishing Foothold

Step 4. Maintaining Presence

Step 5. Maintaining Presence

Step 6. Internal Reconnaissance

Step 7. Internal Reconnaissance

Step 8. Maintaining Presence

Step 9. Complete Mission

Techniques:

  • Phishing Attachment
  • Web Protocols
  • Malicious File Execution
  • Modify Registry
  • Registry Run Keys
  • Windows Management Instrumentation
  • System Information Discovery
  • Scheduled Task
  • Defacement

Event: 442,729

MalEvent: 0.013%

Attack Steps:

Step 1. Initial Compromise

Step 2. Establishing Foothold

Step 3. Escalating Privileges

Step 4. Internal Reconnaissance

Step 5. Internal Reconnaissance

Step 6. Internal Reconnaissance

Step 7. Maintaining Presence

Step 8. Moving Laterally

Techniques:

  • Phishing Attachment
  • PowerShell
  • Bypass User Account Control
  • Data from Local System
  • System Owner/User Discovery
  • Security Software Discovery
  • Registry Run Keys
  • Remote Desktop Protocol

Event: 155,296

MalEvent: 9.095%