# Windows-APT 2025: A dataset for APT-inspired attack scenarios on windows systems

**Authors:** Maryam Mozaffari, Abbas Yazdinejad, Ali Dehghantanha

PMC · DOI: 10.1016/j.dib.2026.112569 · Data in Brief · 2026-02-11

## TL;DR

The Windows-APT 2025 dataset provides detailed attack scenarios for Windows systems, helping improve threat detection and cybersecurity defenses.

## Contribution

A novel dataset of 36 APT-inspired attack scenarios for Windows systems, mapped to MITRE ATT&CK and generated via adversary emulation.

## Key findings

- The dataset includes 19 CSV files with system and network logs from APT-inspired scenarios.
- It supports machine learning training and intrusion detection system evaluation.
- The dataset is based on MITRE ATT&CK China-attributed tactics and is fully replicable.

## Abstract

The Windows-APT Dataset 2025 represents a significant advancement in cybersecurity research, addressing critical gaps in the understanding of advanced persistent threat (APT) tactics against Windows systems. Existing datasets largely focus on network data, often overlooking the detailed tactics, techniques, and procedures (TTPs) used by sophisticated threat actors. To bridge this gap, we developed a comprehensive dataset of 36 APT-inspired scenarios derived from threat actor profiles documented in the MITRE ATT&CK framework. Scenario selection mirrors MITRE ATT&CK group entries reported as China-attributed; we do not assert attribution and focus strictly on reproducing reported TTPs for research. Leveraging the MITRE Caldera framework for adversary emulation, we generated extensive system and network event logs, collected via Wazuh, and systematically mapped them to the MITRE ATT&CK framework. This dataset provides a valuable asset for machine learning model training, intrusion detection system evaluation, and the enhancement of APT dynamics studies. By providing a detailed view of APT activities in Windows environments, it enables stronger threat detection, informs defensive strategies, and facilitates development of effective countermeasures against emerging cyber threats. The dataset package contains 19 CSV files (including 16 per-period logs, one combined log, and two supplementary CSVs for manifest and validation), along with configuration files to support exact replication.

## Full-text entities

- **Diseases:** TTPs (MESH:D000073818), APT (MESH:D020178), TTP (MESH:D011697), ATT&amp;CK (OMIM:300831)
- **Chemicals:** ATT&amp;CK (-)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12950481/full.md

## Figures

4 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12950481/full.md

## References

20 references — full list in the complete paper: https://tomesphere.com/paper/PMC12950481/full.md

---
Source: https://tomesphere.com/paper/PMC12950481