| Network Data Source | - |
| Network Data Labeled | - |
| Host Data Source | Windows events |
| Host Data Labeled | No |
| Overall Setting | Enterprise IT |
| OS Types | Windows 10 Pro Windows Server 2016 Linux (Attacker) |
| Number of Machines | 5 (+ 3 attackers) |
| Total Runtime | n/a |
| Year of Collection | 2019 |
| Attack Categories | PowerShell Empire |
| Benign Activity | None |
| Packed Size | 30 MB |
| Unpacked Size | 855 MB |
| Download Link | goto |
Overview
This is a subset of the Security Datasets Collection focusing on replicating activity assigned to the adversary group APT 3, as described by MITRE ATT&CK. The scenario has been executed twice, once leveraging CALDERA+plugins and once by manually running the attacks.
Environment
The environment setup is not detailed, but it seems to be implied that it matches the environment suggested by MITRE ( linked below).
Activity
While the MITRE ATT&CK evaluation consists of two rounds/scenarios - PowerShell Empire and Cobalt Strike -, this dataset focuses only on the first one, PowerShell Empire. As mentioned, it has been executed in two different ways:
1) Using the CALDERA framework (by MITRE), which automates execution of attack scenarios, combined with a plugin supplying the TTPs required for the chosen APT3 scenario. 2) Using what the authors call “resource files”, which consists of a set of commands and scripts, presumably implying manual execution of the attack scenario.
Contained Data
Logs are collected using winlogbeat, which pulls events from different sources (e.g.,
Microsoft-Windows-Security-Auditing or Microsoft-Windows-Sysmon), but this is, again, not explained further.
For each of the two execution rounds, a single .json file contains all associated logs.
Labels are not provided.
Links
Data Examples
Snippet of winlogbeat events from CALDERA-based dataset, taken
from caldera_attack_evals_round1_day1_2019-10-20201108.json
{"@timestamp":"2019-10-20T20:14:13.625Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"7.4.0","topic":"winlogbeat"},"agent":{"version":"7.4.0","type":"winlogbeat","ephemeral_id":"b372be1f-ba0a-4d7e-b4df-79eac86e1fde","hostname":"WECServer","id":"d347d9a4-bff4-476c-b5a4-d51119f78250"},"winlog":{"task":"Process accessed (rule: ProcessAccess)","channel":"Microsoft-Windows-Sysmon/Operational","event_data":{"SourceProcessId":"7844","TargetProcessId":"1632","UtcTime":"2019-10-20 20:14:13.621","TargetProcessGUID":"{a158f72c-b04a-5dac-0000-0010ce5a1b00}","SourceProcessGUID":"{a158f72c-c009-5dac-0000-00109ea28500}","SourceThreadId":"9740","TargetImage":"C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_14.35.152.0_x64__kzf8qxf38zg5c\\SkypeApp.exe","CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\system32\\wbem\\cimwin32.dll+f46e|C:\\Windows\\system32\\wbem\\cimwin32.dll+faf5|C:\\Windows\\SYSTEM32\\framedynos.dll+55a2|C:\\Windows\\SYSTEM32\\framedynos.dll+6d2d|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8ad1|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8753|C:\\Windows\\System32\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+1364b|C:\\Windows\\System32\\combase.dll+a5472|C:\\Windows\\System32\\RPCRT4.dll+59a8b|C:\\Windows\\System32\\combase.dll+28263|C:\\Windows\\System32\\combase.dll+28053|C:\\Windows\\System32\\combase.dll+a8006|C:\\Windows\\System32\\combase.dll+5b72a|C:\\Windows\\System32\\combase.dll+a3c7d|C:\\Windows\\System32\\combase.dll+6a07c|C:\\Windows\\System32\\combase.dll+6a8e1|C:\\Windows\\System32\\combase.dll+6c088|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System32\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c480|C:\\Windows\\System32\\RPCRT4.dll+1a6bf","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","GrantedAccess":"0x1410"},"process":{"pid":3220,"thread":{"id":4972}},"computer_name":"IT001.shire.com","record_id":232781,"opcode":"Info","version":3,"user":{"type":"User","identifier":"S-1-5-18","name":"SYSTEM","domain":"NT AUTHORITY"},"event_id":10,"provider_guid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","provider_name":"Microsoft-Windows-Sysmon","api":"wineventlog"},"event":{"kind":"event","code":10,"action":"Process accessed (rule: ProcessAccess)","created":"2019-10-20T20:14:24.957Z"},"log":{"level":"information"},"message":"Process accessed:\nRuleName: \nUtcTime: 2019-10-20 20:14:13.621\nSourceProcessGUID: {a158f72c-c009-5dac-0000-00109ea28500}\nSourceProcessId: 7844\nSourceThreadId: 9740\nSourceImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe\nTargetProcessGUID: {a158f72c-b04a-5dac-0000-0010ce5a1b00}\nTargetProcessId: 1632\nTargetImage: C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_14.35.152.0_x64__kzf8qxf38zg5c\\SkypeApp.exe\nGrantedAccess: 0x1410\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\system32\\wbem\\cimwin32.dll+f46e|C:\\Windows\\system32\\wbem\\cimwin32.dll+faf5|C:\\Windows\\SYSTEM32\\framedynos.dll+55a2|C:\\Windows\\SYSTEM32\\framedynos.dll+6d2d|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8ad1|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8753|C:\\Windows\\System32\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+1364b|C:\\Windows\\System32\\combase.dll+a5472|C:\\Windows\\System32\\RPCRT4.dll+59a8b|C:\\Windows\\System32\\combase.dll+28263|C:\\Windows\\System32\\combase.dll+28053|C:\\Windows\\System32\\combase.dll+a8006|C:\\Windows\\System32\\combase.dll+5b72a|C:\\Windows\\System32\\combase.dll+a3c7d|C:\\Windows\\System32\\combase.dll+6a07c|C:\\Windows\\System32\\combase.dll+6a8e1|C:\\Windows\\System32\\combase.dll+6c088|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System32\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c480|C:\\Windows\\System32\\RPCRT4.dll+1a6bf","ecs":{"version":"1.1.0"},"host":{"name":"WECServer"}}
{"@timestamp":"2019-10-20T20:14:13.625Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"7.4.0","topic":"winlogbeat"},"message":"Process accessed:\nRuleName: \nUtcTime: 2019-10-20 20:14:13.621\nSourceProcessGUID: {a158f72c-c009-5dac-0000-00109ea28500}\nSourceProcessId: 7844\nSourceThreadId: 9740\nSourceImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe\nTargetProcessGUID: {a158f72c-b066-5dac-0000-0010a6a42100}\nTargetProcessId: 2684\nTargetImage: C:\\Windows\\system32\\svchost.exe\nGrantedAccess: 0x1410\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\system32\\wbem\\cimwin32.dll+f46e|C:\\Windows\\system32\\wbem\\cimwin32.dll+faf5|C:\\Windows\\SYSTEM32\\framedynos.dll+55a2|C:\\Windows\\SYSTEM32\\framedynos.dll+6d2d|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8ad1|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8753|C:\\Windows\\System32\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+1364b|C:\\Windows\\System32\\combase.dll+a5472|C:\\Windows\\System32\\RPCRT4.dll+59a8b|C:\\Windows\\System32\\combase.dll+28263|C:\\Windows\\System32\\combase.dll+28053|C:\\Windows\\System32\\combase.dll+a8006|C:\\Windows\\System32\\combase.dll+5b72a|C:\\Windows\\System32\\combase.dll+a3c7d|C:\\Windows\\System32\\combase.dll+6a07c|C:\\Windows\\System32\\combase.dll+6a8e1|C:\\Windows\\System32\\combase.dll+6c088|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System32\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c480|C:\\Windows\\System32\\RPCRT4.dll+1a6bf","ecs":{"version":"1.1.0"},"host":{"name":"WECServer"},"agent":{"type":"winlogbeat","ephemeral_id":"b372be1f-ba0a-4d7e-b4df-79eac86e1fde","hostname":"WECServer","id":"d347d9a4-bff4-476c-b5a4-d51119f78250","version":"7.4.0"},"winlog":{"provider_guid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","computer_name":"IT001.shire.com","user":{"name":"SYSTEM","domain":"NT AUTHORITY","type":"User","identifier":"S-1-5-18"},"opcode":"Info","version":3,"process":{"pid":3220,"thread":{"id":4972}},"event_id":10,"task":"Process accessed (rule: ProcessAccess)","channel":"Microsoft-Windows-Sysmon/Operational","provider_name":"Microsoft-Windows-Sysmon","record_id":232782,"api":"wineventlog","event_data":{"GrantedAccess":"0x1410","SourceProcessId":"7844","TargetProcessGUID":"{a158f72c-b066-5dac-0000-0010a6a42100}","TargetImage":"C:\\Windows\\system32\\svchost.exe","SourceThreadId":"9740","CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\system32\\wbem\\cimwin32.dll+f46e|C:\\Windows\\system32\\wbem\\cimwin32.dll+faf5|C:\\Windows\\SYSTEM32\\framedynos.dll+55a2|C:\\Windows\\SYSTEM32\\framedynos.dll+6d2d|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8ad1|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8753|C:\\Windows\\System32\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+1364b|C:\\Windows\\System32\\combase.dll+a5472|C:\\Windows\\System32\\RPCRT4.dll+59a8b|C:\\Windows\\System32\\combase.dll+28263|C:\\Windows\\System32\\combase.dll+28053|C:\\Windows\\System32\\combase.dll+a8006|C:\\Windows\\System32\\combase.dll+5b72a|C:\\Windows\\System32\\combase.dll+a3c7d|C:\\Windows\\System32\\combase.dll+6a07c|C:\\Windows\\System32\\combase.dll+6a8e1|C:\\Windows\\System32\\combase.dll+6c088|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System32\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c480|C:\\Windows\\System32\\RPCRT4.dll+1a6bf","UtcTime":"2019-10-20 20:14:13.621","SourceProcessGUID":"{a158f72c-c009-5dac-0000-00109ea28500}","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","TargetProcessId":"2684"}},"event":{"action":"Process accessed (rule: ProcessAccess)","created":"2019-10-20T20:14:24.957Z","kind":"event","code":10},"log":{"level":"information"}}
{"@timestamp":"2019-10-20T20:14:13.625Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"7.4.0","topic":"winlogbeat"},"winlog":{"record_id":232783,"task":"Process accessed (rule: ProcessAccess)","computer_name":"IT001.shire.com","channel":"Microsoft-Windows-Sysmon/Operational","provider_name":"Microsoft-Windows-Sysmon","process":{"pid":3220,"thread":{"id":4972}},"event_id":10,"user":{"identifier":"S-1-5-18","name":"SYSTEM","domain":"NT AUTHORITY","type":"User"},"event_data":{"SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\system32\\wbem\\cimwin32.dll+f46e|C:\\Windows\\system32\\wbem\\cimwin32.dll+faf5|C:\\Windows\\SYSTEM32\\framedynos.dll+55a2|C:\\Windows\\SYSTEM32\\framedynos.dll+6d2d|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8ad1|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8753|C:\\Windows\\System32\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+1364b|C:\\Windows\\System32\\combase.dll+a5472|C:\\Windows\\System32\\RPCRT4.dll+59a8b|C:\\Windows\\System32\\combase.dll+28263|C:\\Windows\\System32\\combase.dll+28053|C:\\Windows\\System32\\combase.dll+a8006|C:\\Windows\\System32\\combase.dll+5b72a|C:\\Windows\\System32\\combase.dll+a3c7d|C:\\Windows\\System32\\combase.dll+6a07c|C:\\Windows\\System32\\combase.dll+6a8e1|C:\\Windows\\System32\\combase.dll+6c088|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System32\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c480|C:\\Windows\\System32\\RPCRT4.dll+1a6bf","TargetImage":"C:\\Windows\\system32\\DllHost.exe","GrantedAccess":"0x1410","SourceProcessGUID":"{a158f72c-c009-5dac-0000-00109ea28500}","SourceProcessId":"7844","UtcTime":"2019-10-20 20:14:13.621","SourceThreadId":"9740","TargetProcessGUID":"{a158f72c-b092-5dac-0000-001030822800}","TargetProcessId":"5776"},"api":"wineventlog","opcode":"Info","provider_guid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","version":3},"event":{"code":10,"action":"Process accessed (rule: ProcessAccess)","created":"2019-10-20T20:14:24.957Z","kind":"event"},"log":{"level":"information"},"message":"Process accessed:\nRuleName: \nUtcTime: 2019-10-20 20:14:13.621\nSourceProcessGUID: {a158f72c-c009-5dac-0000-00109ea28500}\nSourceProcessId: 7844\nSourceThreadId: 9740\nSourceImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe\nTargetProcessGUID: {a158f72c-b092-5dac-0000-001030822800}\nTargetProcessId: 5776\nTargetImage: C:\\Windows\\system32\\DllHost.exe\nGrantedAccess: 0x1410\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System32\\KERNELBASE.dll+2730e|C:\\Windows\\system32\\wbem\\cimwin32.dll+f46e|C:\\Windows\\system32\\wbem\\cimwin32.dll+faf5|C:\\Windows\\SYSTEM32\\framedynos.dll+55a2|C:\\Windows\\SYSTEM32\\framedynos.dll+6d2d|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8ad1|C:\\Windows\\system32\\wbem\\wmiprvse.exe+8753|C:\\Windows\\System32\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+1364b|C:\\Windows\\System32\\combase.dll+a5472|C:\\Windows\\System32\\RPCRT4.dll+59a8b|C:\\Windows\\System32\\combase.dll+28263|C:\\Windows\\System32\\combase.dll+28053|C:\\Windows\\System32\\combase.dll+a8006|C:\\Windows\\System32\\combase.dll+5b72a|C:\\Windows\\System32\\combase.dll+a3c7d|C:\\Windows\\System32\\combase.dll+6a07c|C:\\Windows\\System32\\combase.dll+6a8e1|C:\\Windows\\System32\\combase.dll+6c088|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System32\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c480|C:\\Windows\\System32\\RPCRT4.dll+1a6bf","ecs":{"version":"1.1.0"},"host":{"name":"WECServer"},"agent":{"version":"7.4.0","type":"winlogbeat","ephemeral_id":"b372be1f-ba0a-4d7e-b4df-79eac86e1fde","hostname":"WECServer","id":"d347d9a4-bff4-476c-b5a4-d51119f78250"}}
Snippet of winlogbeat events from resource-files-based dataset, taken from empire_apt3_2019-05-14223117.json
{"@timestamp":"2019-05-14T23:04:23.636Z","@metadata":{"beat":"winlogbeat","type":"doc","version":"6.7.0","topic":"winlogbeat"},"process_id":4,"source_name":"Microsoft-Windows-Security-Auditing","message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t6520\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.18.39.106\n\tSource Port:\t\t53322\n\tDestination Address:\t10.0.10.106\n\tDestination Port:\t\t443\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67495\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","beat":{"name":"WECserver","hostname":"WECserver","version":"6.7.0"},"type":"wineventlog","task":"Filtering Platform Connection","event_data":{"LayerName":"%%14611","ProcessID":"6520","Direction":"%%14593","RemoteMachineID":"S-1-0-0","Application":"\\device\\harddiskvolume2\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","Protocol":"6","DestAddress":"10.0.10.106","FilterRTID":"67495","RemoteUserID":"S-1-0-0","DestPort":"443","LayerRTID":"48","SourceAddress":"172.18.39.106","SourcePort":"53322"},"thread_id":5552,"opcode":"Info","computer_name":"HR001.shire.com","record_number":"114472","provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","version":1,"log_name":"Security","keywords":["Audit Success"],"host":{"name":"WECserver"},"event_id":5156,"level":"Information"}
{"@timestamp":"2019-05-14T23:04:23.859Z","@metadata":{"beat":"winlogbeat","type":"doc","version":"6.7.0","topic":"winlogbeat"},"type":"wineventlog","event_id":5156,"level":"Information","provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4952\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.18.39.106\n\tSource Port:\t\t53323\n\tDestination Address:\t10.0.10.106\n\tDestination Port:\t\t443\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67495\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","event_data":{"ProcessID":"4952","SourcePort":"53323","DestAddress":"10.0.10.106","Application":"\\device\\harddiskvolume2\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","SourceAddress":"172.18.39.106","FilterRTID":"67495","RemoteUserID":"S-1-0-0","Direction":"%%14593","LayerName":"%%14611","LayerRTID":"48","RemoteMachineID":"S-1-0-0","DestPort":"443","Protocol":"6"},"computer_name":"HR001.shire.com","version":1,"source_name":"Microsoft-Windows-Security-Auditing","opcode":"Info","thread_id":5552,"record_number":"114473","keywords":["Audit Success"],"host":{"name":"WECserver"},"process_id":4,"log_name":"Security","task":"Filtering Platform Connection","beat":{"name":"WECserver","hostname":"WECserver","version":"6.7.0"}}
{"@timestamp":"2019-05-14T23:04:24.150Z","@metadata":{"beat":"winlogbeat","type":"doc","version":"6.7.0","topic":"winlogbeat"},"record_number":"114474","type":"wineventlog","version":1,"host":{"name":"WECserver"},"event_id":5156,"computer_name":"HR001.shire.com","level":"Information","event_data":{"Protocol":"6","FilterRTID":"67495","SourceAddress":"172.18.39.106","SourcePort":"53324","LayerName":"%%14611","LayerRTID":"48","DestAddress":"10.0.10.106","DestPort":"443","Application":"\\device\\harddiskvolume2\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","RemoteUserID":"S-1-0-0","RemoteMachineID":"S-1-0-0","ProcessID":"7048","Direction":"%%14593"},"keywords":["Audit Success"],"message":"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t7048\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t172.18.39.106\n\tSource Port:\t\t53324\n\tDestination Address:\t10.0.10.106\n\tDestination Port:\t\t443\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t67495\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48","provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","opcode":"Info","thread_id":5552,"beat":{"hostname":"WECserver","version":"6.7.0","name":"WECserver"},"source_name":"Microsoft-Windows-Security-Auditing","log_name":"Security","task":"Filtering Platform Connection","process_id":4}