SAPPAN: Advanced Threat Data

The data were acquired from a simulated environment consisting of two Windows clients, a Windows server, a Linux host, and a Linux router whose connection diagram can be found in the infrastructure.png file. One attack scenario was performed in this environment, and data relevant to this attack are uploaded as this dataset.

The advanced attack scenario follows our previous experiment (see SAPPAN: Combined Network and Host Data), where the initial compromise of a host from outside has already been carried out. The scenario starts by running the code on Workstation1 and extracting the data, followed by a lateral movement to Workstation2, where the data is also extracted. The scenario ends with the deactivation of all implants. A detailed description of the scenario can be found in the test_protocol.xlsx file.

The scenario is inspired by the first scenario described in APT29 Evaluation: Operational Flow and APT29 Day 1 (Steps 1 through 10). However, in order to better showcase analyses relevant to the SAPPAN project, we have chosen a different C2 framework (POshC2 instead of Pupy RAT) and performed certain steps concerning code execution, downloading and exfiltrating data differently.

The dataset consists of the following data:

• infrastructure.png - Schema of the artificial infrastructure
• test-protocol.xlsx - Detailed protocol of the captured attack
• network_traffic_capture.pcap - Full packet capture (PCAP format) of all network traffic passing through firewall host
• RDR-data.zip - Raw event data (JSON format) from all Windows host with the following attributes:
  • time - the time when the sensor recorded the event
  • event_type - the type of the event
  • host - info about the host machine (name and OS version)
  • event - event type-specific payload