Download Link
- Known APT Campaigns Dataset.zip
- Generated APT Campaigns Dataset.zip
- Composite APT Campaigns Dataset.zip
Overview - v2.0
This dataset provides a comprehensive collection of system logs generated by SAGA, simulating Advanced Persistent Threat (APT) attack scenarios for cybersecurity research. It includes three types of APT campaigns:
- Known APT Campaigns: This set comprises 8 APT campaigns based on real-world cyber threat intelligence, reflecting documented attack techniques and lifecycles of groups such as Higaisa, admin338, APT28, FIN7, CobaltGroup, Gamaredon, Patchwork, and GorgonGroup.
- Generated APT Campaigns: Includes 20 APT campaigns created through SAGA's random generation capabilities, offering a diverse set of simulated attack scenarios. Each campaign in this set is named with an identifier from G1 to G20.
- Composite APT Campaigns: This collection contains 10 composite APT campaigns, each created by combining elements from both known and generated campaigns to simulate complex scenarios where multiple APT campaigns target a single victim host.
Known APT Campaign Information
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Internal Reconnaissance
Step 5. Internal Reconnaissance
Step 6. Maintaining Presence
Step 7. Maintaining Presence
Techniques:
- phishing Attachment
- Malicious File Execution
- Registry Run Keys
- System Information Discovery
- System Network Configuration Discovery
- Masquerade Task or Service
- Scheduled Task
Event: 607,416
MalEvent: 0.005%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Step 4. Internal Reconnaissance
Step 5. Internal Reconnaissance
Step 6. Internal Reconnaissance
Step 7. Internal Reconnaissance
Step 8. Internal Reconnaissance
Techniques:
- phishing Attachment
- Malicious File Execution
- Local Account
- File and Directory Discovery
- Local Groups
- System Network Configuration Discovery
- System Network Connections Discovery
- System Service Discovery
Event: 950,436
MalEvent: 0.006%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Establishing Foothold
Step 4. Internal Reconnaissance
Step 5. Internal Reconnaissance
Step 6. Complete Mission
Techniques:
- phishing Attachment
- Web Protocols
- Malicious File Execution
- System Information Discovery
- Data from Local System
- Exfiltration Over Web Service
Event: 1,203,013
MalEvent: 1.175%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Maintaining Presence
Techniques:
- phishing Attachment
- Ingress Tool Transfer
- Registry Run Keys
- Scheduled Task
Event: 2,072,151
MalEvent: 0.001%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Techniques:
- phishing Attachment
- Remote Access Software
- Network Service Discovery
Event: 961,920
MalEvent: 0.11800000000000001%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Establishing Foothold
Step 4. Maintaining Presence
Step 5. Maintaining Presence
Step 6. Internal Reconnaissance
Step 7. Internal Reconnaissance
Step 8. Maintaining Presence
Step 9. Complete Mission
Techniques:
- phishing Attachment
- Web Protocols
- Malicious File Execution
- Modify Registry
- Registry Run Keys
- Windows Management Instrumentation
- System Information Discovery
- Scheduled Task
- Defacement
Event: 442,729
MalEvent: 0.013%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Internal Reconnaissance
Step 5. Internal Reconnaissance
Step 6. Internal Reconnaissance
Step 7. Maintaining Presence
Step 8. Moving Laterally
Techniques:
- phishing Attachment
- PowerShell
- Bypass User Account Control
- Data from Local System
- System Owner/User Discovery
- Security Software Discovery
- Registry Run Keys
- Remote Desktop Protocol
Event: 155,296
MalEvent: 9.095%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Maintaining Presence
Step 5. Maintaining Presence
Step 6. Maintaining Presence
Step 7. Maintaining Presence
Techniques:
- phishing Attachment
- PowerShell
- Portable Executable Injection
- Registry Run Keys
- Shortcut Modification
- Disable or Modify Tools
- Hidden Window
Event: 844,723
MalEvent: 0.006%
Generated APT Campaign Information
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Escalating Privileges
Step 5. Internal Reconnaissance
Step 6. Maintaining Presence
Step 7. Maintaining Presence
Step 8. Internal Reconnaissance
Step 9. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Security Account Manager
- Default Accounts
- Security Software Discovery
- Dynamic-link Library Injection
- Winlogon Helper DLL
- Local Groups
- Inhibit System Recovery
Event: 571,777
MalEvent: 0.006%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Step 4. Maintaining Presence
Step 5. Escalating Privileges
Step 6. Internal Reconnaissance
Step 7. Maintaining Presence
Step 8. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Browser Bookmark Discovery
- Office Application Startup
- LSASS Memory
- Process Discovery
- Registry Run Keys / Startup Folder
- Resource Hijacking
Event: 238,941
MalEvent: 0.063%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Step 4. Maintaining Presence
Step 5. Internal Reconnaissance
Step 6. Escalating Privileges
Step 7. Escalating Privileges
Step 8. Complete Mission
Techniques:
- Phishing Attachment
- Malicious File Execution
- File and Directory Discovery
- Disable Windows Event Logging
- Process Discovery
- Network Sniffing
- Security Account Manager
- Inhibit System Recovery
Event: 431,954
MalEvent: 0.013%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Maintaining Presence
Step 5. Escalating Privileges
Step 6. Internal Reconnaissance
Step 7. Maintaining Presence
Step 8. Internal Reconnaissance
Step 9. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Security Account Manager
- Registry Run Keys / Startup Folder
- LSASS Memory
- Local Account
- Shortcut Modification
- Windows Management Instrumentation
- Inhibit System Recovery
Event: 366,652
MalEvent: 0.03%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Escalating Privileges
Step 5. Internal Reconnaissance
Step 6. Maintaining Presence
Step 7. Internal Reconnaissance
Step 8. Escalating Privileges
Step 9. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Registry Run Keys / Startup Folder
- Default Accounts
- Video Capture
- Disable or Modify System Firewall
- PowerShell
- Security Account Manager
- Inhibit System Recovery
Event: 426,714
MalEvent: 0.047%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Maintaining Presence
Step 5. Internal Reconnaissance
Step 6. Escalating Privileges
Step 7. Complete Mission
Techniques:
- Phishing Attachment
- PowerShell
- Security Account Manager
- Registry Run Keys / Startup Folder
- System User Discovery
- NTDS
- Resource Hijacking
Event: 101,007
MalEvent: 0.127%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Maintaining Presence
Step 5. Maintaining Presence
Step 6. Complete Mission
Techniques:
- Phishing Attachment
- Web Protocols
- Bypass User Access Control
- Masquerade Task or Service
- Registry Run Keys / Startup Folder
- Inhibit System Recovery
Event: 384,716
MalEvent: 0.011000000000000001%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Maintaining Presence
Step 5. Internal Reconnaissance
Step 6. Internal Reconnaissance
Step 7. Escalating Privileges
Step 8. Maintaining Presence
Step 9. Complete Mission
Techniques:
- Phishing Attachment
- Windows Management Instrumentation
- LSASS Memory
- Disable Windows Event Logging
- Password Policy Discovery
- Browser Bookmark Discovery
- Default Accounts
- Office Test
- Inhibit System Recovery
Event: 2,358,153
MalEvent: 0.004%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Escalating Privileges
Step 5. Escalating Privileges
Step 6. Internal Reconnaissance
Step 7. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- PowerShell
- NTDS
- Security Account Manager
- Windows Management Instrumentation
- Inhibit System Recovery
Event: 1,940,026
MalEvent: 0.01%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Step 4. Escalating Privileges
Step 5. Escalating Privileges
Step 6. Maintaining Presence
Step 7. Internal Reconnaissance
Step 8. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Software Discovery
- Bypass User Access Control
- Network Sniffing
- Modify Registry
- System User Discovery
- Inhibit System Recovery
Event: 240,569
MalEvent: 0.076%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Maintaining Presence
Step 5. Internal Reconnaissance
Step 6. Escalating Privileges
Step 7. Maintaining Presence
Step 8. Complete Mission
Techniques:
- Phishing Attachment
- Windows Management Instrumentation
- Default Accounts
- Disable Windows Event Logging
- System Network Configuration Discovery
- Network Sniffing
- Modify Registry
- Defacement
Event: 428,367
MalEvent: 0.006999999999999999%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Step 4. Maintaining Presence
Step 5. Internal Reconnaissance
Step 6. Maintaining Presence
Step 7. Escalating Privileges
Step 8. Complete Mission
Techniques:
- Phishing Attachment
- PowerShell
- Browser Bookmark Discovery
- Modify Registry
- System Network Configuration Discovery
- Rename System Utilities
- NTDS
- Defacement
Event: 322,064
MalEvent: 0.018000000000000002%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Maintaining Presence
Step 5. Internal Reconnaissance
Step 6. Internal Reconnaissance
Step 7. Complete Mission
Techniques:
- Phishing Attachment
- Internal Proxy
- Portable Executable Injection
- Rename System Utilities
- System Network Configuration Discovery
- System Network Connections Discovery
- Inhibit System Recovery
Event: 289,825
MalEvent: 0.013%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- LSASS Memory
- Inhibit System Recovery
Event: 405,498
MalEvent: 0.006%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Internal Reconnaissance
Step 5. Maintaining Presence
Step 6. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Modify Registry
- Local Account
- Modify Registry
- Inhibit System Recovery
Event: 1,310,911
MalEvent: 0.002%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Internal Reconnaissance
Step 5. Maintaining Presence
Step 6. Escalating Privileges
Step 7. Internal Reconnaissance
Step 8. Escalating Privileges
Step 9. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Modify Registry
- System Network Configuration Discovery
- DLL Search Order Hijacking
- Security Account Manager
- File and Directory Discovery
- OS Credential Dumping
- Inhibit System Recovery
Event: 90,405
MalEvent: 0.135%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Escalating Privileges
Step 4. Internal Reconnaissance
Step 5. Escalating Privileges
Step 6. Complete Mission
Techniques:
- Phishing Attachment
- PowerShell
- OS Credential Dumping
- Audio Capture
- LSASS Memory
- Resource Hijacking
Event: 300,927
MalEvent: 0.006999999999999999%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Step 4. Internal Reconnaissance
Step 5. Escalating Privileges
Step 6. Maintaining Presence
Step 7. Maintaining Presence
Step 8. Escalating Privileges
Step 9. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Process Discovery
- Domain Trust Discovery
- NTDS
- PowerShell
- Modify Registry
- Bypass User Access Control
- Inhibit System Recovery
Event: 416,572
MalEvent: 0.047%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Internal Reconnaissance
Step 4. Internal Reconnaissance
Step 5. Escalating Privileges
Step 6. Escalating Privileges
Step 7. Complete Mission
Techniques:
- Phishing Attachment
- PowerShell
- PowerShell
- Local Account
- OS Credential Dumping
- Bypass User Access Control
- Inhibit System Recovery
Event: 379,550
MalEvent: 0.01%
Attack Steps:
Step 1. Initial Compromise
Step 2. Establishing Foothold
Step 3. Maintaining Presence
Step 4. Escalating Privileges
Step 5. Internal Reconnaissance
Step 6. Escalating Privileges
Step 7. Internal Reconnaissance
Step 8. Complete Mission
Techniques:
- Phishing Attachment
- Ingress Tool Transfer
- Disable or Modify System Firewall
- NTDS
- Network Share Discovery
- Credentials in Registry
- Peripheral Device Discovery
- Endpoint Denial of Service
Event: 719,090
MalEvent: 0.004%