This dataset captures detailed forensic evidence and system behavior generated from a variant of the APT32 cyberattack scenario. While based on the same core CTI reports as the original APT32 simulation, this variant introduces modifications such as alternative execution flows, tooling, or environmental conditions to explore behavioral diversity and adversarial flexibility. The goal is to broaden the understanding of how APT32 techniques may manifest across different system configurations.
Contents
1. Provenance Graphs
.dot
files representing system-level events and causal dependencies.
- Two variants:
*-provenance-graph.dot
: Linux-based systems.
*-sysmon-provenance-graph.dot
: Windows-based systems.
2. System Logs
Linux Hosts
- audit.log
from /var/log/audit/
- sysdig.scap
(zipped in /var/log/sysdig.zip
) from Sysdig monitoring
Windows Hosts
- Microsoft-Windows-Sysmon_Operational.evtx
from Sysmon logs
3. Attack Annotation
annotation-attack.csv
: Semicolon-delimited file that maps events to attack steps.
- Includes fields such as timestamp, system, executable, and high-level activity label.
4. Network Capture
.pcap
files capturing network traffic from both Linux (tcpdump
) and Windows (Pktmon
).
5. Memory Dumps
- Raw memory images (
*.elf
) collected during the simulation are available upon request for in-depth analysis.
Cyber Threat Intelligence (CTI) Description
The Adobe_Flash_install.rar archive that was returned from the baomoivietnam.com website contained the files Flash_Adobe_Install.exe and goopdate.dll. The table below provides some basic information on all three of these files.
The file goopdate.dll has the hidden file attribute set and will not show in Windows Explorer on systems using default settings. This results in the user seeing only the Flash_Adobe_Install.exe file to execute in order to install what they believe to be an update to Flash Player. When run, it will automatically load goopdate.dll due to search order hijacking. Goopdate.dll is a highly obfuscated loader whose ultimate purpose is to load a Cobalt Strike stager into memory and then execute it. The Cobalt Strike stager will simply try to download and execute a shellcode from a remote server, in this case using the following URL: summerevent.webhop.net/QuUA
CTI Report: link
License
This dataset is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.
You are free to share, modify, and build upon the data for any purpose, including commercial use, as long as proper credit is given to the original authors.
Citation
If you use this dataset in your work, please cite the following publication:
bibtex
@inproceedings{provcon25,
title = {From {Observations} to {Insights}: {Constructing} {Effective} {Cyberattack} {Provenance} {With} {PROVCON}},
language = {en},
booktitle = {Workshop on {SOC} {Operations} and {Construction} ({WOSOC}) 2025},
author = {Yusof, Anis and Li, Shaofei and Kawatra, Arshdeep Singh and
Li, Ding and Chang, Ee-Chien and Liang, Zhenkai},
year = {2025},
isbn = {9798991927604},
doi = {https://dx.doi.org/10.14722/wosoc.2025.23008},
}