This dataset captures detailed forensic evidence and system behavior generated from a simulated APT41 cyberattack scenario. The attack emulation was based on multiple Cyber Threat Intelligence (CTI) reports describing real-world tactics and techniques attributed to the APT41 threat actor group. The goal is to provide a comprehensive view of host and network-level activities during a full attack chain in a controlled cyber range.
Contents
1. Provenance Graphs
.dot files representing system-level events and causal dependencies.- Two variants:
*-provenance-graph.dot: Linux-based systems.*-sysmon-provenance-graph.dot: Windows-based systems.
2. System Logs
Linux Hosts
- audit.log from /var/log/audit/
- sysdig.scap (zipped in /var/log/sysdig.zip) from Sysdig monitoring
Windows Hosts
- Microsoft-Windows-Sysmon_Operational.evtx from Sysmon logs
3. Attack Annotation
annotation-attack.csv: Semicolon-delimited file that maps events to attack steps.- Includes fields such as timestamp, system, executable, and high-level activity label.
4. Network Capture
.pcap files capturing network traffic from both Linux (tcpdump) and Windows (Pktmon).
5. Memory Dumps
- Raw memory images (
*.elf) collected during the simulation are available upon request for in-depth analysis.
Cyber Threat Intelligence (CTI) Description
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group. APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits. APT41 used exploit payloads that initiate download via ftp. APT41 used DNS for C2 communications. APT41 created a RAR archive of targeted files for exfiltration. APT41 used BITSAdmin to download and install payloads. APT41 created and modified startup files for persistence. APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike. APT41 performed password brute-force attacks on the local admin account. APT41 leveraged PowerShell to deploy malware families in victims’ environments. APT41 used cmd.exe /c to execute commands on remote machines.[1]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader. APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices. APT41 created user accounts and adds them to the User and Admin groups. APT41 modified legitimate Windows services to install malware backdoors. APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike. APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user. APT41 has uploaded files and data from a compromised host.
CTI Report: link
License
This dataset is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.
You are free to share, modify, and build upon the data for any purpose, including commercial use, as long as proper credit is given to the original authors.
Citation
If you use this dataset in your work, please cite the following publication:
bibtex
@inproceedings{provcon25,
title = {From {Observations} to {Insights}: {Constructing} {Effective} {Cyberattack} {Provenance} {With} {PROVCON}},
language = {en},
booktitle = {Workshop on {SOC} {Operations} and {Construction} ({WOSOC}) 2025},
author = {Yusof, Anis and Li, Shaofei and Kawatra, Arshdeep Singh and
Li, Ding and Chang, Ee-Chien and Liang, Zhenkai},
year = {2025},
isbn = {9798991927604},
doi = {https://dx.doi.org/10.14722/wosoc.2025.23008},
}