From d03a67b5fcd550c8800fa2cefb3001df29f83de8 Mon Sep 17 00:00:00 2001
From: Raven Tait <rmtait@cisco.com>
Date: Fri, 20 Feb 2026 12:29:26 -0500
Subject: [PATCH] attack data for mac techniques

---
 .../T1030/osquery_data_chunking/osquery.log           |  3 +++
 .../T1030/osquery_data_chunking/osquery.yml           | 11 +++++++++++
 .../T1037.002/osquery_logon_scripts/osquery.log       |  3 +++
 .../T1037.002/osquery_logon_scripts/osquery.yml       | 11 +++++++++++
 .../T1053.004/osquery_persistence/osquery.log         |  3 +++
 .../T1053.004/osquery_persistence/osquery.yml         | 11 +++++++++++
 .../T1068/osquery_system_startup/osquery.log          |  3 +++
 .../T1068/osquery_system_startup/osquery.yml          | 11 +++++++++++
 .../T1070/osquery_log_removal/osquery.log             |  3 +++
 .../T1070/osquery_log_removal/osquery.yml             | 11 +++++++++++
 .../T1135/osquery_share_discovery/osquery.log         |  3 +++
 .../T1135/osquery_share_discovery/osquery.yml         | 11 +++++++++++
 .../T1136/osquery_account_creation/osquery.log        |  3 +++
 .../T1136/osquery_account_creation/osquery.yml        | 11 +++++++++++
 .../T1543/osquery_ketxload/osquery.log                |  3 +++
 .../T1543/osquery_ketxload/osquery.yml                | 11 +++++++++++
 .../T1555.001/osquery_keychains/osquery.log           |  3 +++
 .../T1555.001/osquery_keychains/osquery.yml           | 11 +++++++++++
 .../T1564.001/osquery_hidden_files/osquery.log        |  3 +++
 .../T1564.001/osquery_hidden_files/osquery.yml        | 11 +++++++++++
 20 files changed, 140 insertions(+)
 create mode 100644 datasets/attack_techniques/T1030/osquery_data_chunking/osquery.log
 create mode 100644 datasets/attack_techniques/T1030/osquery_data_chunking/osquery.yml
 create mode 100644 datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.log
 create mode 100644 datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.yml
 create mode 100644 datasets/attack_techniques/T1053.004/osquery_persistence/osquery.log
 create mode 100644 datasets/attack_techniques/T1053.004/osquery_persistence/osquery.yml
 create mode 100644 datasets/attack_techniques/T1068/osquery_system_startup/osquery.log
 create mode 100644 datasets/attack_techniques/T1068/osquery_system_startup/osquery.yml
 create mode 100644 datasets/attack_techniques/T1070/osquery_log_removal/osquery.log
 create mode 100644 datasets/attack_techniques/T1070/osquery_log_removal/osquery.yml
 create mode 100644 datasets/attack_techniques/T1135/osquery_share_discovery/osquery.log
 create mode 100644 datasets/attack_techniques/T1135/osquery_share_discovery/osquery.yml
 create mode 100644 datasets/attack_techniques/T1136/osquery_account_creation/osquery.log
 create mode 100644 datasets/attack_techniques/T1136/osquery_account_creation/osquery.yml
 create mode 100644 datasets/attack_techniques/T1543/osquery_ketxload/osquery.log
 create mode 100644 datasets/attack_techniques/T1543/osquery_ketxload/osquery.yml
 create mode 100644 datasets/attack_techniques/T1555.001/osquery_keychains/osquery.log
 create mode 100644 datasets/attack_techniques/T1555.001/osquery_keychains/osquery.yml
 create mode 100644 datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.log
 create mode 100644 datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.yml

diff --git a/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.log b/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.log
new file mode 100644
index 00000000..4e48635a
--- /dev/null
+++ b/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc3fda3ff1a0f3862b5cb17e82390a43f6fc54a5a4a9a118f019461727ecb2e8
+size 9992
diff --git a/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.yml b/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.yml
new file mode 100644
index 00000000..5251e385
--- /dev/null
+++ b/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: e1ad8f03-6cb5-4ae9-a0c0-b9eb9ff0e4b8
+date: '2026-02-19'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1030/
diff --git a/datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.log b/datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.log
new file mode 100644
index 00000000..eafa5efa
--- /dev/null
+++ b/datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b9b92d8af052ca04218b44efc58915627fce032fb1a6fee5751c4bb6a33bd760
+size 17994
diff --git a/datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.yml b/datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.yml
new file mode 100644
index 00000000..c42b89eb
--- /dev/null
+++ b/datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: 69fb68a6-dce5-400f-8a5e-086abda181aa
+date: '2026-02-19'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.002/osquery_logon_scripts/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1037/002/
diff --git a/datasets/attack_techniques/T1053.004/osquery_persistence/osquery.log b/datasets/attack_techniques/T1053.004/osquery_persistence/osquery.log
new file mode 100644
index 00000000..b97a6228
--- /dev/null
+++ b/datasets/attack_techniques/T1053.004/osquery_persistence/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6c25818a60216c479d081963996b39470a2799a6991fcd86b5479d7425cc3235
+size 5012
diff --git a/datasets/attack_techniques/T1053.004/osquery_persistence/osquery.yml b/datasets/attack_techniques/T1053.004/osquery_persistence/osquery.yml
new file mode 100644
index 00000000..3fcfebb8
--- /dev/null
+++ b/datasets/attack_techniques/T1053.004/osquery_persistence/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: a319c571-0d12-4af7-b3dc-a30907e98277
+date: '2026-02-20'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.004/osquery_persistence/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1053/004/
diff --git a/datasets/attack_techniques/T1068/osquery_system_startup/osquery.log b/datasets/attack_techniques/T1068/osquery_system_startup/osquery.log
new file mode 100644
index 00000000..2f8f5f31
--- /dev/null
+++ b/datasets/attack_techniques/T1068/osquery_system_startup/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3137c31603d3075c97373f932fbdd6ead2dc00f75b615a27857c2d52866d2686
+size 3314
diff --git a/datasets/attack_techniques/T1068/osquery_system_startup/osquery.yml b/datasets/attack_techniques/T1068/osquery_system_startup/osquery.yml
new file mode 100644
index 00000000..ed85bb0c
--- /dev/null
+++ b/datasets/attack_techniques/T1068/osquery_system_startup/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: bb5c9118-aec9-4d94-b3a5-cf5e7f422740
+date: '2026-02-20'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/osquery_system_startup/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1068/
diff --git a/datasets/attack_techniques/T1070/osquery_log_removal/osquery.log b/datasets/attack_techniques/T1070/osquery_log_removal/osquery.log
new file mode 100644
index 00000000..d57b47c5
--- /dev/null
+++ b/datasets/attack_techniques/T1070/osquery_log_removal/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce87d38d0b1aacefc671e5a097a8972ff414cd6f82f02b9b08968bd7b618a364
+size 5125
diff --git a/datasets/attack_techniques/T1070/osquery_log_removal/osquery.yml b/datasets/attack_techniques/T1070/osquery_log_removal/osquery.yml
new file mode 100644
index 00000000..17b4b6a1
--- /dev/null
+++ b/datasets/attack_techniques/T1070/osquery_log_removal/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: 06297035-0abf-485a-9c4c-9f416999d845
+date: '2026-02-19'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/osquery_log_removal/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1070/
diff --git a/datasets/attack_techniques/T1135/osquery_share_discovery/osquery.log b/datasets/attack_techniques/T1135/osquery_share_discovery/osquery.log
new file mode 100644
index 00000000..52a0ca83
--- /dev/null
+++ b/datasets/attack_techniques/T1135/osquery_share_discovery/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f1ca56ffe6f26edc26ca299f6bf6bc306a3c4b84932940f3a88e082745d29a29
+size 9120
diff --git a/datasets/attack_techniques/T1135/osquery_share_discovery/osquery.yml b/datasets/attack_techniques/T1135/osquery_share_discovery/osquery.yml
new file mode 100644
index 00000000..451de3df
--- /dev/null
+++ b/datasets/attack_techniques/T1135/osquery_share_discovery/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: d93e309a-f7b1-4bef-b8b7-b447f1f616a3
+date: '2026-02-20'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/osquery_share_discovery/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1135/
diff --git a/datasets/attack_techniques/T1136/osquery_account_creation/osquery.log b/datasets/attack_techniques/T1136/osquery_account_creation/osquery.log
new file mode 100644
index 00000000..78358aa2
--- /dev/null
+++ b/datasets/attack_techniques/T1136/osquery_account_creation/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5c5314b876c37c2ea34035f443ce907739bfbada3f7d5266de6ca891f853a8c3
+size 11005
diff --git a/datasets/attack_techniques/T1136/osquery_account_creation/osquery.yml b/datasets/attack_techniques/T1136/osquery_account_creation/osquery.yml
new file mode 100644
index 00000000..49e1fb65
--- /dev/null
+++ b/datasets/attack_techniques/T1136/osquery_account_creation/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: 06297035-0abf-485a-9c4c-9f416999d845
+date: '2026-02-19'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136/osquery_account_creation/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1136/
diff --git a/datasets/attack_techniques/T1543/osquery_ketxload/osquery.log b/datasets/attack_techniques/T1543/osquery_ketxload/osquery.log
new file mode 100644
index 00000000..e1030d58
--- /dev/null
+++ b/datasets/attack_techniques/T1543/osquery_ketxload/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0aed38a63d7e7c1e852e5aab2c8683521329c287640928744f553f6d7fca701f
+size 10055
diff --git a/datasets/attack_techniques/T1543/osquery_ketxload/osquery.yml b/datasets/attack_techniques/T1543/osquery_ketxload/osquery.yml
new file mode 100644
index 00000000..562874d0
--- /dev/null
+++ b/datasets/attack_techniques/T1543/osquery_ketxload/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: 324fc256-70c7-4e68-a32e-e2886f6245bb
+date: '2026-02-19'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543/osquery_ketxload/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1543
diff --git a/datasets/attack_techniques/T1555.001/osquery_keychains/osquery.log b/datasets/attack_techniques/T1555.001/osquery_keychains/osquery.log
new file mode 100644
index 00000000..d0dcfe1f
--- /dev/null
+++ b/datasets/attack_techniques/T1555.001/osquery_keychains/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e62dfb19c5c2663f7e8df6ff09fa912f2b33daa598b5423bca8e66fbc8a32d24
+size 7169
diff --git a/datasets/attack_techniques/T1555.001/osquery_keychains/osquery.yml b/datasets/attack_techniques/T1555.001/osquery_keychains/osquery.yml
new file mode 100644
index 00000000..db03f9b0
--- /dev/null
+++ b/datasets/attack_techniques/T1555.001/osquery_keychains/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: d9cbe409-3012-48d7-8926-b5ee0287ee3f
+date: '2026-02-19'
+description: Generation of Mac OSX techniques involving keychains and osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.001/osquery_keychains/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1555/001/
diff --git a/datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.log b/datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.log
new file mode 100644
index 00000000..7c5d4ece
--- /dev/null
+++ b/datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:37027028bc331fa2c020bcb9544d8c5cdb8b9f2af0142844d9bf15a63dae9d5b
+size 19741
diff --git a/datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.yml b/datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.yml
new file mode 100644
index 00000000..7dd579ea
--- /dev/null
+++ b/datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait
+id: 649730e9-20c1-4776-b902-2c4fc819b00c
+date: '2026-02-19'
+description: Generation of Mac OSX techniques logged with osquery
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.001/osquery_hidden_files/osquery.log
+sourcetypes:
+- osquery:results
+references:
+- https://attack.mitre.org/techniques/T1564/001/