From ed9e11ccbd97db729690b4fe5ef533dbae3a6e45 Mon Sep 17 00:00:00 2001
From: jwindley <15244271+jwindley@users.noreply.github.com>
Date: Tue, 16 Dec 2025 10:49:11 +0000
Subject: [PATCH 1/9] Add new test data for T1553.001

---
 .../macos_gatekeeper_bypass_xattr.log                 |  2 ++
 .../macos_gatekeeper_bypass_xattr.yml                 | 11 +++++++++++
 ...acos_gatekeeper_bypass_LSFileQuarantineEnabled.log |  1 +
 ...acos_gatekeeper_bypass_LSFileQuarantineEnabled.yml | 11 +++++++++++
 4 files changed, 25 insertions(+)
 create mode 100644 datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
 create mode 100644 datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
 create mode 100644 datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
 create mode 100644 datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml

diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
new file mode 100644
index 00000000..8e0ed5c7
--- /dev/null
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
@@ -0,0 +1,2 @@
+{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:24:32 2025 UTC","unixTime":1765812272,"epoch":0,"counter":2369,"numerics":false,"columns":{"cdhash":"673710e00b9bdf6667e88ac54f55c23416692d29","child_pid":"","cmdline":"/usr/bin/xattr -c myapp.app ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/jamie/atomic-red-team","egid":"0","env":"USER=root SUDO_UID=501 SHELL=/bin/sh LANG=en_GB.UTF-8 SUDO_USER=jamie TERM=xterm-256color LOGNAME=root PATH=/usr/local/microsoft/powershell/7:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin PSModulePath=/Users/jamie/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/usr/local/microsoft/powershell/7/Modules MAIL=/var/mail/root SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:2 SUDO_COMMAND=/usr/local/bin/pwsh SUDO_GID=20 HOME=/Users/jamie ","env_count":"15","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"9729","original_parent":"2779","parent":"2779","parent_pidversion":"7083","path":"/usr/bin/xattr","pid":"3264","pidversion":"8256","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4409","session_id":"926","signing_id":"com.apple.xattr","team_id":"","time":"1765812265","uid":"0","username":"root","version":"8"},"action":"added"}
+{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:11:08 2025 UTC","unixTime":1765811468,"epoch":0,"counter":2286,"numerics":false,"columns":{"cdhash":"673710e00b9bdf6667e88ac54f55c23416692d29","child_pid":"","cmdline":"xattr -d com.apple.quarantine myapp.app ","cmdline_count":"4","codesigning_flags":"","cwd":"/private/tmp","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=jamie SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:2 MAIL=/var/mail/root PATH=/usr/local/microsoft/powershell/7:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin PSModulePath=/Users/jamie/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/usr/local/microsoft/powershell/7/Modules PWD=/private/tmp LANG=en_GB.UTF-8 SHLVL=1 HOME=/Users/jamie SUDO_COMMAND=/usr/local/bin/pwsh LOGNAME=root SUDO_GID=20 _=/usr/bin/xattr ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"8939","original_parent":"2779","parent":"2779","parent_pidversion":"7083","path":"/usr/bin/xattr","pid":"3033","pidversion":"7696","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4080","session_id":"926","signing_id":"com.apple.xattr","team_id":"","time":"1765811460","uid":"0","username":"root","version":"8"},"action":"added"}
diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
new file mode 100644
index 00000000..df9501bd
--- /dev/null
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
@@ -0,0 +1,11 @@
+author: Jamie Windley
+id: bc5865ff-2ea2-4b78-b34b-f2b375d464a3
+date: '2025-12-16'
+description: Generated dataset for MacOS Gatekeeper Bypass using xattr
+environment: vm
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
+sourcetypes:
+- osquery:results
+references:
+- https://www.atomicredteam.io/atomic-red-team/atomics/T1553.001
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
new file mode 100644
index 00000000..9d37a432
--- /dev/null
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
@@ -0,0 +1 @@
+{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:33:40 2025 UTC","unixTime":1765812820,"epoch":0,"counter":2427,"numerics":false,"columns":{"cdhash":"7bfc830ea6042fc5185981292c3f8132fe1bdca7","child_pid":"","cmdline":"/usr/libexec/PlistBuddy -c \"Add :LSFileQuarantineEnabled bool false\" /Users/jamie/TestApp.app/Contents/Info.plist ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/jamie/atomic-red-team","egid":"20","env":"TERM_PROGRAM=Apple_Terminal SHELL=/bin/zsh TERM=xterm-256color TMPDIR=/var/folders/nk/s40ysrxj0nz9pq1gtwyv04040000gn/T/ TERM_PROGRAM_VERSION=455.1 TERM_SESSION_ID=B13E8812-EC11-4F13-8450-779CEF9D7288 USER=jamie SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners PATH=/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin __CFBundleIdentifier=com.apple.Terminal PWD=/Users/jamie/atomic-red-team XPC_FLAGS=0x0 XPC_SERVICE_NAME=0 SHLVL=1 HOME=/Users/jamie LOGNAME=jamie OLDPWD=/Users/jamie/atomic-red-team HOMEBREW_PREFIX=/opt/homebrew HOMEBREW_CELLAR=/opt/homebrew/Cellar HOMEBREW_REPOSITORY=/opt/homebrew INFOPATH=/opt/homebrew/share/info: LANG=en_GB.UTF-8 _=/usr/libexec/PlistBuddy ","env_count":"23","euid":"20","event_type":"exec","exit_code":"","gid":"20","global_seq_num":"10245","original_parent":"3183","parent":"3183","parent_pidversion":"8063","path":"/usr/libexec/PlistBuddy","pid":"3415","pidversion":"8621","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4623","session_id":"3182","signing_id":"com.apple.PlistBuddy","team_id":"","time":"1765812815","uid":"501","username":"jamie","version":"8"},"action":"added"}
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
new file mode 100644
index 00000000..0c0f5d88
--- /dev/null
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -0,0 +1,11 @@
+author: Jamie Windley
+id: fbcfb4fb-1be3-4348-87d3-60c68a0b6334
+date: '2025-12-16'
+description: Generated dataset for MacOS Gatekeeper Bypass by making changes to LSFileQuarantineEnabled field in Info.plist
+environment: vm
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/detectionstrategies/DET0288
\ No newline at end of file

From 6b7f705c027068ff514c18d12105f8ea71b674d7 Mon Sep 17 00:00:00 2001
From: jwindley <15244271+jwindley@users.noreply.github.com>
Date: Tue, 16 Dec 2025 10:55:01 +0000
Subject: [PATCH 2/9] Update yml files to fix validation issues

---
 .../macos_gatekeeper_bypass_xattr.yml                     | 8 ++++----
 .../macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml   | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
index df9501bd..f27190af 100644
--- a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
@@ -3,9 +3,9 @@ id: bc5865ff-2ea2-4b78-b34b-f2b375d464a3
 date: '2025-12-16'
 description: Generated dataset for MacOS Gatekeeper Bypass using xattr
 environment: vm
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
-sourcetypes:
-- osquery:results
+datasets:
+- name: macos_gatekeeper_bypass_xattr.log
+  path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/
+  sourcetype: 'osquery:results'
 references:
 - https://www.atomicredteam.io/atomic-red-team/atomics/T1553.001
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
index 0c0f5d88..7ddff3c1 100644
--- a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -3,9 +3,9 @@ id: fbcfb4fb-1be3-4348-87d3-60c68a0b6334
 date: '2025-12-16'
 description: Generated dataset for MacOS Gatekeeper Bypass by making changes to LSFileQuarantineEnabled field in Info.plist
 environment: vm
-dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
-sourcetypes:
-- osquery:results
+datasets:
+- name: macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
+  path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/
+  sourcetypes: 'osquery:results'
 references:
 - https://attack.mitre.org/detectionstrategies/DET0288
\ No newline at end of file

From 87843bdd2a9cb7f16497d155ea0f91d0d5eb5a95 Mon Sep 17 00:00:00 2001
From: jwindley <15244271+jwindley@users.noreply.github.com>
Date: Tue, 16 Dec 2025 10:58:54 +0000
Subject: [PATCH 3/9] Update yml files to fix validation issues  (removing
 references)

---
 .../macos_gatekeeper_bypass_xattr.yml                         | 4 +---
 .../macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml       | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
index f27190af..f5276136 100644
--- a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
@@ -6,6 +6,4 @@ environment: vm
 datasets:
 - name: macos_gatekeeper_bypass_xattr.log
   path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/
-  sourcetype: 'osquery:results'
-references:
-- https://www.atomicredteam.io/atomic-red-team/atomics/T1553.001
\ No newline at end of file
+  sourcetype: 'osquery:results'
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
index 7ddff3c1..d0720092 100644
--- a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -6,6 +6,4 @@ environment: vm
 datasets:
 - name: macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
   path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/
-  sourcetypes: 'osquery:results'
-references:
-- https://attack.mitre.org/detectionstrategies/DET0288
\ No newline at end of file
+  sourcetypes: 'osquery:results'
\ No newline at end of file

From bb01a0e26bcf0e21ba2489bf06e34484c4392e4e Mon Sep 17 00:00:00 2001
From: jwindley <15244271+jwindley@users.noreply.github.com>
Date: Tue, 16 Dec 2025 11:00:14 +0000
Subject: [PATCH 4/9] Update yml files to fix validation issues  (adding
 source)

---
 .../macos_gatekeeper_bypass_xattr.yml                          | 3 ++-
 .../macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml        | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
index f5276136..041c361a 100644
--- a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
@@ -6,4 +6,5 @@ environment: vm
 datasets:
 - name: macos_gatekeeper_bypass_xattr.log
   path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/
-  sourcetype: 'osquery:results'
\ No newline at end of file
+  sourcetype: 'osquery:results'
+  source: '/var/log/osquery/osqueryd.results.log'
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
index d0720092..b69a280a 100644
--- a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -6,4 +6,5 @@ environment: vm
 datasets:
 - name: macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
   path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/
-  sourcetypes: 'osquery:results'
\ No newline at end of file
+  sourcetypes: 'osquery:results'
+  source: '/var/log/osquery/osqueryd.results.log'
\ No newline at end of file

From 1352e2ecae6f9ff2ced098d3f4b5657cc5a61308 Mon Sep 17 00:00:00 2001
From: jwindley <15244271+jwindley@users.noreply.github.com>
Date: Tue, 16 Dec 2025 11:01:20 +0000
Subject: [PATCH 5/9] Update yml files to fix validation issues  (adding s to
 sourcetype)

---
 .../macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
index b69a280a..14f952f8 100644
--- a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -6,5 +6,5 @@ environment: vm
 datasets:
 - name: macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
   path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/
-  sourcetypes: 'osquery:results'
+  sourcetype: 'osquery:results'
   source: '/var/log/osquery/osqueryd.results.log'
\ No newline at end of file

From 0d231bdded1eb2433516e55f020e5a59655caf03 Mon Sep 17 00:00:00 2001
From: jwindley <15244271+jwindley@users.noreply.github.com>
Date: Tue, 16 Dec 2025 12:00:57 +0000
Subject: [PATCH 6/9] add log files as lfs objects

---
 .gitattributes                                               | 3 +++
 .../macos_gatekeeper_bypass_xattr.log                        | 5 +++--
 .../macos_gatekeeper_bypass_LSFileQuarantineEnabled.log      | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.gitattributes b/.gitattributes
index a6e9819c..16c5fd12 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,6 @@
 *.json filter=lfs diff=lfs merge=lfs -text
 *.log filter=lfs diff=lfs merge=lfs -text
 *.log   text encoding=utf-8
+LICENSE filter=lfs diff=lfs merge=lfs -text
+README.md filter=lfs diff=lfs merge=lfs -text
+*log filter=lfs diff=lfs merge=lfs -text
diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
index 8e0ed5c7..7a50f3ec 100644
--- a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
@@ -1,2 +1,3 @@
-{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:24:32 2025 UTC","unixTime":1765812272,"epoch":0,"counter":2369,"numerics":false,"columns":{"cdhash":"673710e00b9bdf6667e88ac54f55c23416692d29","child_pid":"","cmdline":"/usr/bin/xattr -c myapp.app ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/jamie/atomic-red-team","egid":"0","env":"USER=root SUDO_UID=501 SHELL=/bin/sh LANG=en_GB.UTF-8 SUDO_USER=jamie TERM=xterm-256color LOGNAME=root PATH=/usr/local/microsoft/powershell/7:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin PSModulePath=/Users/jamie/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/usr/local/microsoft/powershell/7/Modules MAIL=/var/mail/root SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:2 SUDO_COMMAND=/usr/local/bin/pwsh SUDO_GID=20 HOME=/Users/jamie ","env_count":"15","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"9729","original_parent":"2779","parent":"2779","parent_pidversion":"7083","path":"/usr/bin/xattr","pid":"3264","pidversion":"8256","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4409","session_id":"926","signing_id":"com.apple.xattr","team_id":"","time":"1765812265","uid":"0","username":"root","version":"8"},"action":"added"}
-{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:11:08 2025 UTC","unixTime":1765811468,"epoch":0,"counter":2286,"numerics":false,"columns":{"cdhash":"673710e00b9bdf6667e88ac54f55c23416692d29","child_pid":"","cmdline":"xattr -d com.apple.quarantine myapp.app ","cmdline_count":"4","codesigning_flags":"","cwd":"/private/tmp","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=jamie SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:2 MAIL=/var/mail/root PATH=/usr/local/microsoft/powershell/7:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin PSModulePath=/Users/jamie/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/usr/local/microsoft/powershell/7/Modules PWD=/private/tmp LANG=en_GB.UTF-8 SHLVL=1 HOME=/Users/jamie SUDO_COMMAND=/usr/local/bin/pwsh LOGNAME=root SUDO_GID=20 _=/usr/bin/xattr ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"8939","original_parent":"2779","parent":"2779","parent_pidversion":"7083","path":"/usr/bin/xattr","pid":"3033","pidversion":"7696","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4080","session_id":"926","signing_id":"com.apple.xattr","team_id":"","time":"1765811460","uid":"0","username":"root","version":"8"},"action":"added"}
+version https://git-lfs.github.com/spec/v1
+oid sha256:eed3cd1fcfd35b468a8326f4580800a64f54309121252111cd319d92f4329be7
+size 3352
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
index 9d37a432..114afb25 100644
--- a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
@@ -1 +1,3 @@
-{"name":"log_processes","hostIdentifier":"jamies-Virtual-Machine.local","calendarTime":"Mon Dec 15 15:33:40 2025 UTC","unixTime":1765812820,"epoch":0,"counter":2427,"numerics":false,"columns":{"cdhash":"7bfc830ea6042fc5185981292c3f8132fe1bdca7","child_pid":"","cmdline":"/usr/libexec/PlistBuddy -c \"Add :LSFileQuarantineEnabled bool false\" /Users/jamie/TestApp.app/Contents/Info.plist ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/jamie/atomic-red-team","egid":"20","env":"TERM_PROGRAM=Apple_Terminal SHELL=/bin/zsh TERM=xterm-256color TMPDIR=/var/folders/nk/s40ysrxj0nz9pq1gtwyv04040000gn/T/ TERM_PROGRAM_VERSION=455.1 TERM_SESSION_ID=B13E8812-EC11-4F13-8450-779CEF9D7288 USER=jamie SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.g3GBt2ombP/Listeners PATH=/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin __CFBundleIdentifier=com.apple.Terminal PWD=/Users/jamie/atomic-red-team XPC_FLAGS=0x0 XPC_SERVICE_NAME=0 SHLVL=1 HOME=/Users/jamie LOGNAME=jamie OLDPWD=/Users/jamie/atomic-red-team HOMEBREW_PREFIX=/opt/homebrew HOMEBREW_CELLAR=/opt/homebrew/Cellar HOMEBREW_REPOSITORY=/opt/homebrew INFOPATH=/opt/homebrew/share/info: LANG=en_GB.UTF-8 _=/usr/libexec/PlistBuddy ","env_count":"23","euid":"20","event_type":"exec","exit_code":"","gid":"20","global_seq_num":"10245","original_parent":"3183","parent":"3183","parent_pidversion":"8063","path":"/usr/libexec/PlistBuddy","pid":"3415","pidversion":"8621","platform_binary":"1","responsible_pid":"925","responsible_pidversion":"2459","seq_num":"4623","session_id":"3182","signing_id":"com.apple.PlistBuddy","team_id":"","time":"1765812815","uid":"501","username":"jamie","version":"8"},"action":"added"}
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e2e29b722ab46aed1c4fb5c3c6a570ad298b10ef269d62c1b0c5fcf7d00b828
+size 1951

From 2a5e34f92bacdb5a7ea205b840f7a54acfc5a3be Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <nasreddineb@splunk.com>
Date: Sat, 20 Dec 2025 02:51:25 +0100
Subject: [PATCH 7/9] Update .gitattributes to remove LFS for specific files

Removed LFS tracking for LICENSE and README.md files.
---
 .gitattributes | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.gitattributes b/.gitattributes
index 16c5fd12..a6e9819c 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,6 +1,3 @@
 *.json filter=lfs diff=lfs merge=lfs -text
 *.log filter=lfs diff=lfs merge=lfs -text
 *.log   text encoding=utf-8
-LICENSE filter=lfs diff=lfs merge=lfs -text
-README.md filter=lfs diff=lfs merge=lfs -text
-*log filter=lfs diff=lfs merge=lfs -text

From fefce40ab85c7832af48abb750cf8ba550ed0d6e Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <nasreddineb@splunk.com>
Date: Sat, 20 Dec 2025 02:52:24 +0100
Subject: [PATCH 8/9] Apply suggestions from code review

---
 .../macos_gatekeeper_bypass_xattr.yml                          | 3 +++
 .../macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml        | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
index 041c361a..4bb4b83e 100644
--- a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
@@ -3,6 +3,9 @@ id: bc5865ff-2ea2-4b78-b34b-f2b375d464a3
 date: '2025-12-16'
 description: Generated dataset for MacOS Gatekeeper Bypass using xattr
 environment: vm
+directory: macos_gatekeeper_bypass_xattr
+mitre_technique:
+- T1553.001
 datasets:
 - name: macos_gatekeeper_bypass_xattr.log
   path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
index 14f952f8..1ad9f34c 100644
--- a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -3,6 +3,9 @@ id: fbcfb4fb-1be3-4348-87d3-60c68a0b6334
 date: '2025-12-16'
 description: Generated dataset for MacOS Gatekeeper Bypass by making changes to LSFileQuarantineEnabled field in Info.plist
 environment: vm
+directory: macos_gatekeeper_bypass_LSFileQuarantineEnabled
+mitre_technique:
+- T1553.001
 datasets:
 - name: macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
   path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/

From 6939ba8848d9d8579ab151eed8e9360bb0a601dd Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <nasreddineb@splunk.com>
Date: Sat, 20 Dec 2025 02:54:23 +0100
Subject: [PATCH 9/9] Apply suggestions from code review

---
 .../macos_gatekeeper_bypass_xattr.yml                         | 4 ++--
 .../macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
index 4bb4b83e..50bfde54 100644
--- a/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
+++ b/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.yml
@@ -8,6 +8,6 @@ mitre_technique:
 - T1553.001
 datasets:
 - name: macos_gatekeeper_bypass_xattr.log
-  path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/
+  path: /datasets/attack_techniques/T1553.001/atomic_red_team/macos_gatekeeper_bypass_xattr/macos_gatekeeper_bypass_xattr.log
   sourcetype: 'osquery:results'
-  source: '/var/log/osquery/osqueryd.results.log'
\ No newline at end of file
+  source: '/var/log/osquery/osqueryd.results.log'
diff --git a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
index 1ad9f34c..49397c5c 100644
--- a/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
+++ b/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.yml
@@ -8,6 +8,6 @@ mitre_technique:
 - T1553.001
 datasets:
 - name: macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
-  path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/
+  path: /datasets/attack_techniques/T1553.001/macos_gatekeeper_bypass_LSFileQuarantineEnabled/macos_gatekeeper_bypass_LSFileQuarantineEnabled.log
   sourcetype: 'osquery:results'
-  source: '/var/log/osquery/osqueryd.results.log'
\ No newline at end of file
+  source: '/var/log/osquery/osqueryd.results.log'