Add new test data for T1553.001 (#1109)

jwindley · nasbench · web-flow · commit 441e9b10c338 · 2025-12-20T02:55:44.000+01:00
---------

Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;
diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eed3cd1fcfd35b468a8326f4580800a64f54309121252111cd319d92f4329be7
+size 3352
diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
@@ -0,0 +1,13 @@
+author: Jamie Windley
+id: bc5865ff-2ea2-4b78-b34b-f2b375d464a3
+date: '2025-12-16'
+description: Generated dataset for MacOS Gatekeeper Bypass using xattr
+environment: vm
+directory: macos_gatekeeper_bypass_xattr
+mitre_technique:
+- T1553.001
+datasets:
+- name: macos_gatekeeper_bypass_xattr.log
+  path: /datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
+  sourcetype: 'osquery:results'
+  source: '/var/log/osquery/osqueryd.results.log'
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e2e29b722ab46aed1c4fb5c3c6a570ad298b10ef269d62c1b0c5fcf7d00b828
+size 1951
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -0,0 +1,13 @@
+author: Jamie Windley
+id: fbcfb4fb-1be3-4348-87d3-60c68a0b6334
+date: '2025-12-16'
+description: Generated dataset for MacOS Gatekeeper Bypass by making changes to LSFileQuarantineEnabled field in Info.plist
+environment: vm
+directory: macos_gatekeeper_bypass_LSFileQuarantineEnabled
+mitre_technique:
+- T1553.001
+datasets:
+- name: macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
+  path: /datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
+  sourcetype: 'osquery:results'
+  source: '/var/log/osquery/osqueryd.results.log'

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:eed3cd1fcfd35b468a8326f4580800a64f54309121252111cd319d92f4329be7`
	`3`	`+size 3352`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:2e2e29b722ab46aed1c4fb5c3c6a570ad298b10ef269d62c1b0c5fcf7d00b828`
	`3`	`+size 1951`