Published: 26 February 2024| Version 2 | DOI: 10.17632/5x68fv63sh.2
Sohaib Karim


A novel dataset "Linux-APT-Dataset-2024” that includes the Tactics, Techniques and Procedure (TTPs) of APT attacks in Linux environment. There are two files one is 'combine.csv' and other is 'Processed Version.xlsx' both includes 17 files ranging from 01st October 2023 to 07 January 2024 and each of the file contains all the essential data fields. These 17 files can be found in the below link. Karim, S. (2024). Linux-APT-Dataset-2024 [Data set]. Zenodo. 1. combine.csv is the raw file that is a merger of all the 17 files extracted from SIEM 'WAZUH' after the simulation of latest attacks in the environment. Due to SIEM's 'WAZUH' limitation to produce files with more than 10,000 records, all of the files are combined that could be used as input for other analyses. 2. Processed Version.xlsx is the compiled version of combine.csv, the file extension is changed to xlsx because of the support available in most of the system, also Tactics and Techniques are separated for convenience of different researchers. It is also tagged with General and Malicious, if the value is 1 means it is suspicious/malicious, otherwise 0 for General/Normal log. Regarding dataset, it contains both type of activities/logs general as well as malicious/suspicious to make the dataset near real-time for better analysis and evaluation. It will be more productive if the cybersecurity framework considered for mapping the TTP is MITRE. The simulated attacks includes all the privilege escalation payloads for Linux, recently discovered CVEs, emulations of key-loggers and APTs like APT41, APT28, APT29, Turla. An effective way to make the log/records whether it is general or suspicious is to filter the log if it is TTP tagged, that means it's suspicious/malicious otherwise it is considered as general. While developing the dataset we have The dataset is also useful for analysing all the critical log resources in the Linux environment that could be considered while performing forensics activity.



Intrusion Detection, Linux