APT32 Variant

This dataset captures detailed forensic evidence and system behavior generated from a variant of the APT32 cyberattack scenario. While based on the same core CTI reports as the original APT32 simulation, this variant introduces modifications such as alternative execution flows, tooling, or environmental conditions to explore behavioral diversity and adversarial flexibility. The goal is to broaden the understanding of how APT32 techniques may manifest across different system configurations.

Contents

1. Provenance Graphs

  • .dot files representing system-level events and causal dependencies.
  • Two variants:
  • *-provenance-graph.dot: Linux-based systems.
  • *-sysmon-provenance-graph.dot: Windows-based systems.

2. System Logs

Linux Hosts - audit.log from /var/log/audit/ - sysdig.scap (zipped in /var/log/sysdig.zip) from Sysdig monitoring

Windows Hosts - Microsoft-Windows-Sysmon_Operational.evtx from Sysmon logs

3. Attack Annotation

  • annotation-attack.csv: Semicolon-delimited file that maps events to attack steps.
  • Includes fields such as timestamp, system, executable, and high-level activity label.

4. Network Capture

  • .pcap files capturing network traffic from both Linux (tcpdump) and Windows (Pktmon).

5. Memory Dumps

  • Raw memory images (*.elf) collected during the simulation are available upon request for in-depth analysis.

Cyber Threat Intelligence (CTI) Description

The Adobe_Flash_install.rar archive that was returned from the baomoivietnam.com website contained the files Flash_Adobe_Install.exe and goopdate.dll. The table below provides some basic information on all three of these files. The file goopdate.dll has the hidden file attribute set and will not show in Windows Explorer on systems using default settings. This results in the user seeing only the Flash_Adobe_Install.exe file to execute in order to install what they believe to be an update to Flash Player. When run, it will automatically load goopdate.dll due to search order hijacking. Goopdate.dll is a highly obfuscated loader whose ultimate purpose is to load a Cobalt Strike stager into memory and then execute it. The Cobalt Strike stager will simply try to download and execute a shellcode from a remote server, in this case using the following URL: summerevent.webhop.net/QuUA

CTI Report: link

License

This dataset is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.

You are free to share, modify, and build upon the data for any purpose, including commercial use, as long as proper credit is given to the original authors.

Citation

If you use this dataset in your work, please cite the following publication:

bibtex @inproceedings{provcon25, title = {From {Observations} to {Insights}: {Constructing} {Effective} {Cyberattack} {Provenance} {With} {PROVCON}}, language = {en}, booktitle = {Workshop on {SOC} {Operations} and {Construction} ({WOSOC}) 2025}, author = {Yusof, Anis and Li, Shaofei and Kawatra, Arshdeep Singh and Li, Ding and Chang, Ee-Chien and Liang, Zhenkai}, year = {2025}, isbn = {9798991927604}, doi = {https://dx.doi.org/10.14722/wosoc.2025.23008}, }

Données et ressources

Info additionnelle

Champ Valeur
Dernière modification mai 10, 2025, 06:45 (TU)
Créé le mai 10, 2025, 05:09 (TU)