Add new test data for T1553.001

Author: jwindley

datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log

@@ -0,0 +1,2 @@
+{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:24:32 2025 UTC","unixTime":1765812272,"epoch":0,"counter":2369,"numerics":false,"columns":{"cdhash":"673710e00b9bdf6667e88ac54f55c23416692d29","child_pid":"","cmdline":"/usr/bin/xattr -c myapp.app ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/jamie/atomic-red-team","egid":"0","env":"USER=root SUDO_UID=501 SHELL=/bin/sh LANG=en_GB.UTF-8 SUDO_USER=jamie TERM=xterm-256color LOGNAME=root PATH=/usr/local/microsoft/powershell/7:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin PSModulePath=/Users/jamie/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/usr/local/microsoft/powershell/7/Modules MAIL=/var/mail/root SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:2 SUDO_COMMAND=/usr/local/bin/pwsh SUDO_GID=20 HOME=/Users/jamie ","env_count":"15","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"9729","original_parent":"2779","parent":"2779","parent_pidversion":"7083","path":"/usr/bin/xattr","pid":"3264","pidversion":"8256","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4409","session_id":"926","signing_id":"com.apple.xattr","team_id":"","time":"1765812265","uid":"0","username":"root","version":"8"},"action":"added"}
+{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:11:08 2025 UTC","unixTime":1765811468,"epoch":0,"counter":2286,"numerics":false,"columns":{"cdhash":"673710e00b9bdf6667e88ac54f55c23416692d29","child_pid":"","cmdline":"xattr -d com.apple.quarantine myapp.app ","cmdline_count":"4","codesigning_flags":"","cwd":"/private/tmp","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=jamie SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:2 MAIL=/var/mail/root PATH=/usr/local/microsoft/powershell/7:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin PSModulePath=/Users/jamie/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/usr/local/microsoft/powershell/7/Modules PWD=/private/tmp LANG=en_GB.UTF-8 SHLVL=1 HOME=/Users/jamie SUDO_COMMAND=/usr/local/bin/pwsh LOGNAME=root SUDO_GID=20 _=/usr/bin/xattr ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"8939","original_parent":"2779","parent":"2779","parent_pidversion":"7083","path":"/usr/bin/xattr","pid":"3033","pidversion":"7696","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4080","session_id":"926","signing_id":"com.apple.xattr","team_id":"","time":"1765811460","uid":"0","username":"root","version":"8"},"action":"added"}

datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml

@@ -0,0 +1,11 @@
+author: Jamie Windley
+id: bc5865ff-2ea2-4b78-b34b-f2b375d464a3
+date: '2025-12-16'
+description: Generated dataset for MacOS Gatekeeper Bypass using xattr
+environment: vm
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
+sourcetypes:
+- osquery:results
+references:
+- https://www.atomicredteam.io/atomic-red-team/atomics/T1553.001

datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log

@@ -0,0 +1 @@
+{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:33:40 2025 UTC","unixTime":1765812820,"epoch":0,"counter":2427,"numerics":false,"columns":{"cdhash":"7bfc830ea6042fc5185981292c3f8132fe1bdca7","child_pid":"","cmdline":"/usr/libexec/PlistBuddy -c \"Add :LSFileQuarantineEnabled bool false\" /Users/jamie/TestApp.app/Contents/Info.plist ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/jamie/atomic-red-team","egid":"20","env":"TERM_PROGRAM=Apple_Terminal SHELL=/bin/zsh TERM=xterm-256color TMPDIR=/var/folders/nk/s40ysrxj0nz9pq1gtwyv04040000gn/T/ TERM_PROGRAM_VERSION=455.1 TERM_SESSION_ID=B13E8812-EC11-4F13-8450-779CEF9D7288 USER=jamie SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners PATH=/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin __CFBundleIdentifier=com.apple.Terminal PWD=/Users/jamie/atomic-red-team XPC_FLAGS=0x0 XPC_SERVICE_NAME=0 SHLVL=1 HOME=/Users/jamie LOGNAME=jamie OLDPWD=/Users/jamie/atomic-red-team HOMEBREW_PREFIX=/opt/homebrew HOMEBREW_CELLAR=/opt/homebrew/Cellar HOMEBREW_REPOSITORY=/opt/homebrew INFOPATH=/opt/homebrew/share/info: LANG=en_GB.UTF-8 _=/usr/libexec/PlistBuddy ","env_count":"23","euid":"20","event_type":"exec","exit_code":"","gid":"20","global_seq_num":"10245","original_parent":"3183","parent":"3183","parent_pidversion":"8063","path":"/usr/libexec/PlistBuddy","pid":"3415","pidversion":"8621","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4623","session_id":"3182","signing_id":"com.apple.PlistBuddy","team_id":"","time":"1765812815","uid":"501","username":"jamie","version":"8"},"action":"added"}

datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml

@@ -0,0 +1,11 @@
+author: Jamie Windley
+id: fbcfb4fb-1be3-4348-87d3-60c68a0b6334
+date: '2025-12-16'
+description: Generated dataset for MacOS Gatekeeper Bypass by making changes to LSFileQuarantineEnabled field in Info.plist
+environment: vm
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/detectionstrategies/DET0288