Cyber Attack Manifestations - Log Data Set (CAM-LDS)

This repository contains synthetic log data and network traffic generated as consequences of cyber attacks. The data set was collected in the virtual test environment AttackBed at the AIT Austrian Institute of Technology. It includes attacks corresponding to 13 tactics and 81 distinct techniques from MITRE ATT&CK. The data is labeled with technique identifiers and suitable for evaluation of log and alert interpretation approaches. The network topology of AttackBed is based on Linux and represents a small enterprise, including security zones (Internet, DMZ, LAN), file shares, video surveillance system, repository server, DNS, firewall, user workstations, etc. Check out our Github page for scripts to utilize this data set for LLM-based attack interpretation and some prompt-response samples. For more information on the generation of the data and a detailed description of all attack scenarios, please check out our publication [1]. Please cite that publication if you use the data.

Note that the data set focuses on attack manifestations; therefore, there no normal/benign user behavior simulation was active during collection. All logs and alerts generated during the attack intervals are thus consequences of cyber attacks or part of idle system activities. In each simulation run we collect logs (audit, authentication, Apache access and error, syslog, package management, cron, ZoneMinder, FTP, Puppet, Docker, Nextcloud, mail, system performance metrics, etc.) and netflows as well as alerts from host-based (Wazuh) and network-based (Suricata) intrusion detection systems. Due to their large size, we provide network packet captures of the CAM-LDS in a separate repository.

The data set comprises of seven scenarios, each representing an attack chain. Thereby, some scenarios involve variants of certain attack steps, which are simulated separately. The following enumeration provides an overview of all scenarios and some highlighted attack steps (lists are not exhaustive).

• Scenario 1: Video Server Exploit
  • Scans (dnsenum, nmap, nikto, ffuf, linpeas), Exploits (Zoneminder/CVE-2023-26035), Privilege Escalation (logrotate race condition, PwnKit/CVE-2021-4034, reverse shells, local accounts), Persistence (PAM, SSH key, useradd), Discovery (credentials, devices)
  • 18 simulation runs (6 variants for Privilege Escalation and 3 variants for Persistence)
• Scenario 2: Linux Malware
  • Command and Control (implant, rootkit), Discovery (processes, configurations, credentials, policies, configurations), Exfiltration (archives), Scans (nmap)
  • 2 simulation runs (2 variants for Command and Control)
• Scenario 3: Lateral Movement
  • Brute-force Login (hydra), Credential Sniffing (tcpdump), Collection (repositories), Lateral Movement (shared files, malicious class, rebuild package), Impact (ransomware, deletion)
  • 6 simulation runs (2 variants for Initial Access and 3 variants for Lateral Movement)
• Scenario 4: Network Attack
  • Port Knocking, Sudo Caching, Modify Firewall Rules
  • 1 simulation run
• Scenario 5: Network Sniffing
  • Network Sniffing (bettercap), Re-use Access Token
  • 1 simulation run
• Scenario 6: Attack on Client
  • Command and Control (malicious file, malicious plugin, screensharing), Exfiltration (cron), Collection (keylogger, xclip)
  • 5 simulation runs (2 variants for Command and Control and 2 variants for Persistence, plus 1 variant for Collection)
• Scenario 7: Docker Attack
  • Scans (dnsenum, smtp-user-enum), Brute-force Login (hydra), Exploits (Nextcloud), Docker Container Escape, Exfiltration (credentials)
  • 1 simulation run

The repository is structured as follows. Each zip-archive represents one simulation run. The name of the archive determines the scenario and variant: scenario_<Scenario-ID>_<Optional-Variants>. For example, scenario_1_autostart_localaccount is a recording of Scenario 1 with the autostart variant for Privilege Escalation and the localaccount variation for Persistence. The zip-archives contain a list of directories that correspond to the hosts where the data is collected from (e.g., firewall or video server). Relevant subdirectories and files are as follows.

• <host>/logs: System log files, network traffic, and alerts collected from that host.
• <host>/configs: Configuration files of system services on that host.
• <host>/facts.json: Summary of system configurations of that host in JSON format.
• attacker/logs/attackmate.json: Attack execution logs with time-based ground truth labels (MITRE ATT&CK techniques).
• attacker/logs/output.log: Output of attack step executions (e.g., scan results).

Alternatively to the attackmate.json file, you can find the labels of each scenario/variant/step here.

We also provide two separate archives where the system logs of individual attack steps have been extracted by correlating their timestamps with the time intervals of each step:

• manifestations_raw: Contains all logs extracted for specific attack steps.
• manifestations_filtered: Contains extracted logs that are direct consequences of attacks; in particular, logs that remain after filtering of recurring events and processes known to correspond to normal system activity. Logs that are difficult to relate to attack steps (collectd.log) or related to network traffic (eve.json) are only available in the raw manifestations.

We group the logs by step, sequence of steps, and techniques after extraction. In each manifestations-archive are therefore the following directories:

• steps: Contains the logs from each step of the attack chain, e.g., 1_autostart_localaccount-5 contains the logs that are generated at the fifth step of Scenario 1 with autostart and localaccount variants.
• sequences: Contains the logs from sequences of steps, where sequences are built from successive steps with identical techniques. Note that some logs are duplicated since multiple techniques may be assigned to single steps.
• techniques: Contains the logs corresponding to certain attack techniques, referenced by attack ID. Note that some logs are duplicated since multiple techniques may be assigned to single steps.

If you use the dataset, please cite the following publication:

[1] M. Landauer, W. Hotwagner, T. Boenke, F. Skopik, M. Wurzenberger. CAM-LDS: Cyber Attack Manifestations for Automatic Interpretation of System Logs and Security Alerts. [PDF]