From ef7bd12d8a6c5c1136c084629f90d47ee28179f5 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Thu, 5 Nov 2020 13:25:56 -0600
Subject: [PATCH 01/34] initial commit

---
 rfcs/text/0000-create-file-mach-o.md | 155 +++++++++++++++++++
 rfcs/text/mach-o/mach-o.yml          | 219 +++++++++++++++++++++++++++
 2 files changed, 374 insertions(+)
 create mode 100644 rfcs/text/0000-create-file-mach-o.md
 create mode 100644 rfcs/text/mach-o/mach-o.yml

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
new file mode 100644
index 0000000000..856c65334e
--- /dev/null
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -0,0 +1,155 @@
+# 0000: Create the Mach-O sub-field of the File fieldset
+
+- Stage: **0 (strawperson)**
+- Date: **TBD**
+
+Create the Mach Object (Mach-O) sub-field, of the `file` top-level fieldset. This document metadata can be used for malware research, as well as coding and other application development efforts.
+
+## Fields
+
+**Stage 0**
+
+This RFC is to create the Mach-O sub-field within the `file.` fieldset. This will include 35 sub-fields.
+
+|   Name                                     |   Type     |   Description                                                               |
+|--------------------------------------------|------------|-----------------------------------------------------------------------------|
+|   file.mach-o.cpu                          |   object   |   CPU information for the file.                                             |
+|   file.mach-o.cpu.architecture             |   keyword  |   CPU architecture target for the file.                                     |
+|   file.mach-o.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
+|   file.mach-o.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
+|   file.mach-o.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
+|   file.mach-o.headers                      |   object   |   Header information for the file.                                          |
+|   file.mach-o.headers.commands             |   object   |   Header load commands for the file.                                        |
+|   file.mach-o.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
+|   file.mach-o.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
+|   file.mach-o.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
+|   file.mach-o.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
+|   file.mach-o.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
+|   file.mach-o.segments                     |   object   |   Segment information for the file.                                         |
+|   file.mach-o.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
+|   file.mach-o.segments.name                |   keyword  |   Name of this segment.                                                     |
+|   file.mach-o.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
+|   file.mach-o.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
+|   file.mach-o.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
+|   file.mach-o.segments.sections            |   object   |   Section information for the segment of the file.                          |
+|   file.mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
+|   file.mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
+|   file.mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
+|   file.mach-o.signature                    |   object   |   Signature information for the file.                                       |
+|   file.mach-o.signature.candidate_cd_hash  |   keyword  |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.           |
+|   file.mach-o.signature.team_identifier    |   keyword  |   Team identifier of the code signing certificate.                          |
+|   file.mach-o.signature.sealed_resources   |   long     |   Version of the resource envelope for the code signing certificate.        |
+|   file.mach-o.signature.cms_digest         |   keyword  |   Cryptographic Message Syntax (CMS) hash of the code signing certificate.  |
+|   file.mach-o.signature.cms_digest_type    |   keyword  |   Cryptographic Message Syntax (CMS) type of the code signing certificate.  |
+|   file.mach-o.signature.status             |   keyword  |   Verification information for the code signing certificate.                |
+|   file.mach-o.signature.fingerprint        |   keyword  |   MD5 digest of the der-encoded certificate information.                    |
+|   file.mach-o.executable                   |   object   |   Information about the executable segment for the file.                    |
+|   file.mach-o.executable.segment_base      |   keyword  |   Executable segment base size.                                             |
+|   file.mach-o.executable.segment_limit     |   keyword  |   Executable segment limit size.                                            |
+|   file.mach-o.executable.segment_flags     |   keyword  |   Executable segment flags.                                                 |
+|   file.mach-o.page_size                    |   long     |   Page size of the file.                                                    |
+
+
+**Stage 1**  
+
+[New `mach-o.yml` candidate](mach-o/mach-o.yml)]
+
+<!--
+Stage 3: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting.
+-->
+
+## Usage
+
+**Stage 1**  
+
+In performing file analysis, specifically for malware research, understanding file similarities can be used to chain together malware samples and families to identify campaigns and possibly attribution. Additionally, understanding how malware components are re-used is useful in understanding malware telemetry, especially in understanding the impact being made through the introduction of defensive countermeasures.
+
+As an example, if XDR vendors deploys a new malware model to defeat a specific type of ransomware and we start observing a change and/or relationship to the headers, import tables, libraries, etc of that malware family, we can make assumptions that the changes to the malware model are making an impact against the malware family.
+
+As another example, tracking file metadata for specific families is useful in predicting new campaigns if we see similar file metadata being used for new samples. [Example](https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/), the Maze ransomware family shutting down and re-purposing as Egregor (this is for Windows malware, but the concept is the same).
+
+## Source data
+
+**Stage 1**
+
+This type of data can be provided by logs from VirusTotal, Reversing Labs, Lockheed Martin's LAIKABOSS, Emerson's File Scanning Framework, Target's Strelka, or other file/malware analysis platforms.
+
+* [VirusTotal API](https://developers.virustotal.com/v3.0/reference)
+* [Emerson FSF](https://github.com/EmersonElectricCo/fsf)
+* [Target Strelka](https://github.com/target/strelka)
+* [Lockheed Martin LAIKABOSS](https://github.com/lmco/laikaboss)
+
+<!--
+Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
+-->
+
+<!--
+Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting.
+-->
+
+<!--
+Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
+-->
+
+## Scope of impact
+
+**Stage 2**
+
+There should be no breaking changes, depreciation strategies, or significant refactoring as this is creating a sub-field for the existing `file.` fieldset.
+
+While likely not a large-scale ECS project, there would be documentation updates needed to explain the new fields.
+
+<!--
+Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into:
+ * Ingestion mechanisms (e.g. beats/logstash)
+ * Usage mechanisms (e.g. Kibana applications, detections)
+ * ECS project (e.g. docs, tooling)
+The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
+-->
+
+## Concerns
+
+<!--
+Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
+-->
+
+<!--
+Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
+-->
+
+<!--
+Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate the risk of churn and instability by resolving outstanding concerns.
+-->
+
+<!--
+Stage 4: Document any new concerns and their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed.
+-->
+
+## Real-world implementations
+
+<!--
+Stage 4: Identify at least one real-world, production-ready implementation that uses these updated field definitions. An example of this might be a GA feature in an Elastic application in Kibana.
+-->
+
+## People
+
+The following are the people that consulted on the contents of this RFC.
+
+* @peasead | author
+* @devonakerr | sponsor
+* @dcode, @peasead | subject matter expert
+
+## References
+
+<!-- Insert any links appropriate to this RFC in this section. -->
+
+### RFC Pull Requests
+
+<!-- An RFC should link to the PRs for each of it stage advancements. -->
+
+* Stage 0: https://github.com/elastic/ecs/pull/NNNN
+
+<!--
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
+...
+-->
diff --git a/rfcs/text/mach-o/mach-o.yml b/rfcs/text/mach-o/mach-o.yml
new file mode 100644
index 0000000000..2dbae8c96c
--- /dev/null
+++ b/rfcs/text/mach-o/mach-o.yml
@@ -0,0 +1,219 @@
+---
+- name: file.mach-o
+  title: Mach-O file information.
+  group: 2
+  description: >
+    These fields contain macOS Mach Object (Mach-O) metadata.
+  type: group
+  reusable:
+    top_level: false
+    expected:
+      - file
+      - process
+  fields:
+    - name: cpu
+      level: extended
+      description: CPU information for the file.
+      type: object
+      fields:
+        - name: architecture
+          description: CPU architecture target for the file.
+          type: keyword
+          level: extended
+          example: 64-bit
+
+        - name: byte_order
+          description: CPU byte order for the file.
+          type: keyword
+          level: extended
+          example: Little endian
+
+        - name: subtype
+          description: CPU subtype for the file.
+          type: keyword
+          level: extended
+          example: ARM (all) 64-bit
+
+        - name: type
+          description: CPU type for the file.
+          type: keyword
+          level: extended
+          example: ARM 64-bit
+
+    - name: headers
+      level: extended
+      description: Header information for the file.
+      type: object
+      fields:
+        - name: commands
+          level: extended
+          description: Header load commands information for the file.
+          type: object
+          fields:
+            - name: number
+              description: Number of load commands for the Mach-O header.
+              type: long
+              level: extended
+              example: 23
+
+            - name: size
+              description: Size of load commands of the Mach-O header.
+              type: long
+              level: extended
+              format: bytes
+              example: 3888
+
+            - name: type
+              description: Type of the load commands for the Mach-O header.
+              type: keyword
+              level: extended
+              example: LC_SYMTAB, 0x2c
+
+        - name: magic
+          description: Magic field of the Mach-O header.
+          type: keyword
+          level: extended
+          example: 0xfeedfacf
+
+        - name: flags
+          description: Flags set in the Mach-O header.
+          type: keyword
+          level: extended
+          example: TWOLEVEL, 0x4000000
+
+    - name: segments
+      level: extended
+        description: Segment information for the file.
+      type: object
+      fields:
+        - name: vmaddr
+          description: Memory address of this segment.
+          type: keyword
+          level: extended
+          example: 0x0
+
+        - name: name
+          description: Name of this segment.
+          type: keyword
+          level: extended
+          example: __TEXT, __DATA
+
+        - name: vmsize
+          description: Memory size of this segment.
+          type: keyword
+          level: extended
+          example: 0x4c000
+
+        - name: fileoff
+          description: File offset of this segment.
+          type: keyword
+          level: extended
+          example: 0x0
+
+        - name: filesize
+          description: Amount of memory to map from the file.
+          type: keyword
+          level: extended
+          example: 0x4c000
+
+        - name: sections
+          level: extended
+          description: Section information for the segment of the file.
+          type: object
+          fields:
+            - name: flags
+              description: Section flags for the segment of the file.
+              type: keyword
+              level: extended
+              example: SECTION_ATTRIBUTES_USR, S_8BYTE_LITERALS
+
+            - name: name
+              description: Section name for the segment of the file.
+              type: keyword
+              level: extended
+              example: __objc_classname, __stub_helper
+
+            - name: type
+              description: Section type for the segment of the file.
+              type: keyword
+              level: extended
+              example: S_REGULAR, S_CSTRING_LITERALS
+
+    - name: signature
+      level: extended
+      description: Signature information for the file.
+      type: object
+      fields:
+        - name: candidate_cd_hash
+          description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file.
+          type: keyword
+          level: extended
+          example: 2035094a7065b29421e7a51f51db9bd61807c3628f210b1f8e667235777dc592
+
+        - name: team_identifier
+          description: Team identifier of the code signing certificate.
+          type: keyword
+          level: extended
+          example: 11A1A1AAAA
+
+        - name: sealed_resources
+          description: Version of the resource envelope for the code signing certificate.
+          type: long
+          level: extended
+          example: 2
+
+        - name: cms_digest
+          description: Cryptographic Message Syntax (CMS) hash of the code signing certificate.
+          type: keyword
+          level: extended
+          example: 3ae1b10f231bee84ca17ab4295c0faaf6cbd535f3cc8010474ec6a67909e1980
+
+        - name: cms_digest_type
+          description: Cryptographic Message Syntax (CMS) type of the code signing certificate.
+          type: keyword
+          level: extended
+          example: 2
+
+        - name: status
+          description: Verification information for the code signing certificate.
+          type: keyword
+          level: extended
+          example: Valid
+
+        - name: fingerprint
+          description: MD5 digest of the der-encoded certificate information.
+          type: keyword
+          level: extended
+          example: 611E5B662C593A08FF58D14AE22452D198DF6C60
+
+    - name: executable
+      level: extended
+      description: Information about the executable segment for the file.
+      type: object
+      fields:
+        - name: segment_base
+          description: Executable segment base size.
+          type: long
+          format: bytes
+          level: extended
+          example: 0
+
+        - name: segment_limit
+          description: Executable segment limit size.
+          type: long
+          format: bytes
+          level: extended
+          example: 123456
+
+        - name: segment_flags
+          description: Executable segment flags.
+          type: keyword
+          level: extended
+          example: 0x0
+
+    - name: page_size
+      description: Page size of the file.
+      type: long
+      format: bytes
+      level: extended
+      example: 4096

From 01075427362f83723b013873704ea5d54c15693d Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Thu, 5 Nov 2020 13:35:02 -0600
Subject: [PATCH 02/34] added PR#

---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 856c65334e..bfda62f023 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -147,7 +147,7 @@ The following are the people that consulted on the contents of this RFC.
 
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
-* Stage 0: https://github.com/elastic/ecs/pull/NNNN
+* Stage 0: https://github.com/elastic/ecs/pull/1097
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN

From de73a01a3790d036db25d37600aa29fab1ab6453 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Tue, 10 Nov 2020 13:40:41 -0600
Subject: [PATCH 03/34] removed field present in code_signature

---
 rfcs/text/0000-create-file-mach-o.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index bfda62f023..528042fc24 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -41,7 +41,6 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.signature.sealed_resources   |   long     |   Version of the resource envelope for the code signing certificate.        |
 |   file.mach-o.signature.cms_digest         |   keyword  |   Cryptographic Message Syntax (CMS) hash of the code signing certificate.  |
 |   file.mach-o.signature.cms_digest_type    |   keyword  |   Cryptographic Message Syntax (CMS) type of the code signing certificate.  |
-|   file.mach-o.signature.status             |   keyword  |   Verification information for the code signing certificate.                |
 |   file.mach-o.signature.fingerprint        |   keyword  |   MD5 digest of the der-encoded certificate information.                    |
 |   file.mach-o.executable                   |   object   |   Information about the executable segment for the file.                    |
 |   file.mach-o.executable.segment_base      |   keyword  |   Executable segment base size.                                             |

From 714c8596869a8814ef7e4e39d056e58b2a55a8e0 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Tue, 10 Nov 2020 13:42:01 -0600
Subject: [PATCH 04/34] removed field present in code_signature

---
 rfcs/text/mach-o/mach-o.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/rfcs/text/mach-o/mach-o.yml b/rfcs/text/mach-o/mach-o.yml
index 2dbae8c96c..0905afed1c 100644
--- a/rfcs/text/mach-o/mach-o.yml
+++ b/rfcs/text/mach-o/mach-o.yml
@@ -174,12 +174,6 @@
           level: extended
           example: 2
 
-        - name: status
-          description: Verification information for the code signing certificate.
-          type: keyword
-          level: extended
-          example: Valid
-
         - name: fingerprint
           description: MD5 digest of the der-encoded certificate information.
           type: keyword

From 07c011d070c8025c2001baded5da3dbc43e46224 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Fri, 20 Nov 2020 11:08:27 -0600
Subject: [PATCH 05/34] updated work in signature

---
 rfcs/text/0000-create-file-mach-o.md |  7 ++-----
 rfcs/text/mach-o/mach-o.yml          | 26 ++++----------------------
 2 files changed, 6 insertions(+), 27 deletions(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 528042fc24..e281db6b06 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -36,12 +36,9 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
 |   file.mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
 |   file.mach-o.signature                    |   object   |   Signature information for the file.                                       |
-|   file.mach-o.signature.candidate_cd_hash  |   keyword  |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.           |
-|   file.mach-o.signature.team_identifier    |   keyword  |   Team identifier of the code signing certificate.                          |
+|   file.mach-o.cdhash  |   keyword  |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.           |
+|   file.mach-o.signature.team_id    |   keyword  |   Team identifier of the code signing certificate.                          |
 |   file.mach-o.signature.sealed_resources   |   long     |   Version of the resource envelope for the code signing certificate.        |
-|   file.mach-o.signature.cms_digest         |   keyword  |   Cryptographic Message Syntax (CMS) hash of the code signing certificate.  |
-|   file.mach-o.signature.cms_digest_type    |   keyword  |   Cryptographic Message Syntax (CMS) type of the code signing certificate.  |
-|   file.mach-o.signature.fingerprint        |   keyword  |   MD5 digest of the der-encoded certificate information.                    |
 |   file.mach-o.executable                   |   object   |   Information about the executable segment for the file.                    |
 |   file.mach-o.executable.segment_base      |   keyword  |   Executable segment base size.                                             |
 |   file.mach-o.executable.segment_limit     |   keyword  |   Executable segment limit size.                                            |
diff --git a/rfcs/text/mach-o/mach-o.yml b/rfcs/text/mach-o/mach-o.yml
index 0905afed1c..6e7ff21e81 100644
--- a/rfcs/text/mach-o/mach-o.yml
+++ b/rfcs/text/mach-o/mach-o.yml
@@ -144,13 +144,7 @@
       description: Signature information for the file.
       type: object
       fields:
-        - name: candidate_cd_hash
-          description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file.
-          type: keyword
-          level: extended
-          example: 2035094a7065b29421e7a51f51db9bd61807c3628f210b1f8e667235777dc592
-
-        - name: team_identifier
+        - name: team_id
           description: Team identifier of the code signing certificate.
           type: keyword
           level: extended
@@ -162,23 +156,11 @@
           level: extended
           example: 2
 
-        - name: cms_digest
-          description: Cryptographic Message Syntax (CMS) hash of the code signing certificate.
-          type: keyword
-          level: extended
-          example: 3ae1b10f231bee84ca17ab4295c0faaf6cbd535f3cc8010474ec6a67909e1980
-
-        - name: cms_digest_type
-          description: Cryptographic Message Syntax (CMS) type of the code signing certificate.
-          type: keyword
-          level: extended
-          example: 2
-
-        - name: fingerprint
-          description: MD5 digest of the der-encoded certificate information.
+    - name: cdhash
+          description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file.
           type: keyword
           level: extended
-          example: 611E5B662C593A08FF58D14AE22452D198DF6C60
+          example: 2035094a7065b29421e7a51f51db9bd61807c3628f210b1f8e667235777dc592
 
     - name: executable
       level: extended

From aeadc6b6e008bdbb92ffac4344fadf0cd67f4e15 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Fri, 20 Nov 2020 11:22:36 -0600
Subject: [PATCH 06/34] move executable fields to segments.

---
 rfcs/text/0000-create-file-mach-o.md |  7 ++---
 rfcs/text/mach-o/mach-o.yml          | 47 +++++++++++++---------------
 2 files changed, 24 insertions(+), 30 deletions(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index e281db6b06..4b4f7cb07e 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -35,14 +35,13 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
 |   file.mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
 |   file.mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
+|   file.mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
+|   file.mach-o.segment size     |   keyword  |   Segment limit size.                                            |
+|   file.mach-o.segment.flags     |   keyword  |   Segment flags.                                                 |
 |   file.mach-o.signature                    |   object   |   Signature information for the file.                                       |
 |   file.mach-o.cdhash  |   keyword  |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.           |
 |   file.mach-o.signature.team_id    |   keyword  |   Team identifier of the code signing certificate.                          |
 |   file.mach-o.signature.sealed_resources   |   long     |   Version of the resource envelope for the code signing certificate.        |
-|   file.mach-o.executable                   |   object   |   Information about the executable segment for the file.                    |
-|   file.mach-o.executable.segment_base      |   keyword  |   Executable segment base size.                                             |
-|   file.mach-o.executable.segment_limit     |   keyword  |   Executable segment limit size.                                            |
-|   file.mach-o.executable.segment_flags     |   keyword  |   Executable segment flags.                                                 |
 |   file.mach-o.page_size                    |   long     |   Page size of the file.                                                    |
 
 
diff --git a/rfcs/text/mach-o/mach-o.yml b/rfcs/text/mach-o/mach-o.yml
index 6e7ff21e81..b6b5832a8f 100644
--- a/rfcs/text/mach-o/mach-o.yml
+++ b/rfcs/text/mach-o/mach-o.yml
@@ -96,7 +96,7 @@
           description: Name of this segment.
           type: keyword
           level: extended
-          example: __TEXT, __DATA
+          example: __TEXT, __DATA, __IMPORT
 
         - name: vmsize
           description: Memory size of this segment.
@@ -139,6 +139,26 @@
               level: extended
               example: S_REGULAR, S_CSTRING_LITERALS
 
+        - name: offset
+          description: Offset of the segment.
+          type: long
+          format: bytes
+          level: extended
+          example: 0
+
+        - name: size
+          description: Segment limit size.
+          type: long
+          format: bytes
+          level: extended
+          example: 123456
+
+        - name: flags
+          description: Segment flags.
+          type: keyword
+          level: extended
+          example: 0x0
+
     - name: signature
       level: extended
       description: Signature information for the file.
@@ -162,31 +182,6 @@
           level: extended
           example: 2035094a7065b29421e7a51f51db9bd61807c3628f210b1f8e667235777dc592
 
-    - name: executable
-      level: extended
-      description: Information about the executable segment for the file.
-      type: object
-      fields:
-        - name: segment_base
-          description: Executable segment base size.
-          type: long
-          format: bytes
-          level: extended
-          example: 0
-
-        - name: segment_limit
-          description: Executable segment limit size.
-          type: long
-          format: bytes
-          level: extended
-          example: 123456
-
-        - name: segment_flags
-          description: Executable segment flags.
-          type: keyword
-          level: extended
-          example: 0x0
-
     - name: page_size
       description: Page size of the file.
       type: long

From 29ecf43ecb74f7e407c4db697aa61a772398125c Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Wed, 23 Dec 2020 14:07:57 -0600
Subject: [PATCH 07/34] removed signature fields

---
 rfcs/text/0000-create-file-mach-o.md |  4 ----
 rfcs/text/mach-o/mach-o.yml          | 17 -----------------
 2 files changed, 21 deletions(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 4b4f7cb07e..a70dbf0e69 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -38,10 +38,6 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
 |   file.mach-o.segment size     |   keyword  |   Segment limit size.                                            |
 |   file.mach-o.segment.flags     |   keyword  |   Segment flags.                                                 |
-|   file.mach-o.signature                    |   object   |   Signature information for the file.                                       |
-|   file.mach-o.cdhash  |   keyword  |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.           |
-|   file.mach-o.signature.team_id    |   keyword  |   Team identifier of the code signing certificate.                          |
-|   file.mach-o.signature.sealed_resources   |   long     |   Version of the resource envelope for the code signing certificate.        |
 |   file.mach-o.page_size                    |   long     |   Page size of the file.                                                    |
 
 
diff --git a/rfcs/text/mach-o/mach-o.yml b/rfcs/text/mach-o/mach-o.yml
index b6b5832a8f..bbad7ae5c1 100644
--- a/rfcs/text/mach-o/mach-o.yml
+++ b/rfcs/text/mach-o/mach-o.yml
@@ -159,23 +159,6 @@
           level: extended
           example: 0x0
 
-    - name: signature
-      level: extended
-      description: Signature information for the file.
-      type: object
-      fields:
-        - name: team_id
-          description: Team identifier of the code signing certificate.
-          type: keyword
-          level: extended
-          example: 11A1A1AAAA
-
-        - name: sealed_resources
-          description: Version of the resource envelope for the code signing certificate.
-          type: long
-          level: extended
-          example: 2
-
     - name: cdhash
           description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file.
           type: keyword

From 6d774392afd4e5e0684e103a2c4974e1d2bd0737 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Wed, 23 Dec 2020 14:08:38 -0600
Subject: [PATCH 08/34] removed file. from field names

---
 rfcs/text/0000-create-file-mach-o.md | 52 ++++++++++++++--------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index a70dbf0e69..bb37aa2e0e 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -13,32 +13,32 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 
 |   Name                                     |   Type     |   Description                                                               |
 |--------------------------------------------|------------|-----------------------------------------------------------------------------|
-|   file.mach-o.cpu                          |   object   |   CPU information for the file.                                             |
-|   file.mach-o.cpu.architecture             |   keyword  |   CPU architecture target for the file.                                     |
-|   file.mach-o.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
-|   file.mach-o.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
-|   file.mach-o.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
-|   file.mach-o.headers                      |   object   |   Header information for the file.                                          |
-|   file.mach-o.headers.commands             |   object   |   Header load commands for the file.                                        |
-|   file.mach-o.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
-|   file.mach-o.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
-|   file.mach-o.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
-|   file.mach-o.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
-|   file.mach-o.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
-|   file.mach-o.segments                     |   object   |   Segment information for the file.                                         |
-|   file.mach-o.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
-|   file.mach-o.segments.name                |   keyword  |   Name of this segment.                                                     |
-|   file.mach-o.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
-|   file.mach-o.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
-|   file.mach-o.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
-|   file.mach-o.segments.sections            |   object   |   Section information for the segment of the file.                          |
-|   file.mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
-|   file.mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
-|   file.mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
-|   file.mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
-|   file.mach-o.segment size     |   keyword  |   Segment limit size.                                            |
-|   file.mach-o.segment.flags     |   keyword  |   Segment flags.                                                 |
-|   file.mach-o.page_size                    |   long     |   Page size of the file.                                                    |
+|   mach-o.cpu                          |   object   |   CPU information for the file.                                             |
+|   mach-o.cpu.architecture             |   keyword  |   CPU architecture target for the file.                                     |
+|   mach-o.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
+|   mach-o.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
+|   mach-o.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
+|   mach-o.headers                      |   object   |   Header information for the file.                                          |
+|   mach-o.headers.commands             |   object   |   Header load commands for the file.                                        |
+|   mach-o.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
+|   mach-o.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
+|   mach-o.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
+|   mach-o.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
+|   mach-o.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
+|   mach-o.segments                     |   object   |   Segment information for the file.                                         |
+|   mach-o.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
+|   mach-o.segments.name                |   keyword  |   Name of this segment.                                                     |
+|   mach-o.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
+|   mach-o.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
+|   mach-o.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
+|   mach-o.segments.sections            |   object   |   Section information for the segment of the file.                          |
+|   mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
+|   mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
+|   mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
+|   mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
+|   mach-o.segment size     |   keyword  |   Segment limit size.                                            |
+|   mach-o.segment.flags     |   keyword  |   Segment flags.                                                 |
+|   mach-o.page_size                    |   long     |   Page size of the file.                                                    |
 
 
 **Stage 1**  

From 16ad2bc985029e26ee1093111ca892d86927b542 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 23 Dec 2020 14:08:57 -0600
Subject: [PATCH 09/34] Update rfcs/text/0000-create-file-mach-o.md

Co-authored-by: Andrew Stucki <andrew.stucki@gmail.com>
---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 4b4f7cb07e..94ac72a6fe 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -36,7 +36,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
 |   file.mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
 |   file.mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
-|   file.mach-o.segment size     |   keyword  |   Segment limit size.                                            |
+|   file.mach-o.segments.size     |   long  |   Segment limit size.                                            |
 |   file.mach-o.segment.flags     |   keyword  |   Segment flags.                                                 |
 |   file.mach-o.signature                    |   object   |   Signature information for the file.                                       |
 |   file.mach-o.cdhash  |   keyword  |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.           |

From 69690548773f1120a6e699f11aae3f8245d99cd6 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 23 Dec 2020 14:09:07 -0600
Subject: [PATCH 10/34] Update rfcs/text/0000-create-file-mach-o.md

Co-authored-by: Andrew Stucki <andrew.stucki@gmail.com>
---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 94ac72a6fe..74ba51d360 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -37,7 +37,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
 |   file.mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
 |   file.mach-o.segments.size     |   long  |   Segment limit size.                                            |
-|   file.mach-o.segment.flags     |   keyword  |   Segment flags.                                                 |
+|   file.mach-o.segments.flags     |   keyword  |   Segment flags.                                                 |
 |   file.mach-o.signature                    |   object   |   Signature information for the file.                                       |
 |   file.mach-o.cdhash  |   keyword  |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.           |
 |   file.mach-o.signature.team_id    |   keyword  |   Team identifier of the code signing certificate.                          |

From 692cc5a763a79fa765247c2d656dfaa56af4cc39 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 23 Dec 2020 14:09:25 -0600
Subject: [PATCH 11/34] Update rfcs/text/0000-create-file-mach-o.md

Co-authored-by: Andrew Stucki <andrew.stucki@gmail.com>
---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 74ba51d360..eea6992d27 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -35,7 +35,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
 |   file.mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
 |   file.mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
-|   file.mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
+|   file.mach-o.segments.offset      |   long  |   Offset of the segment.                                             |
 |   file.mach-o.segments.size     |   long  |   Segment limit size.                                            |
 |   file.mach-o.segments.flags     |   keyword  |   Segment flags.                                                 |
 |   file.mach-o.signature                    |   object   |   Signature information for the file.                                       |

From f64a08d762241c6282c85b26d445cda4bd870798 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 23 Dec 2020 14:09:33 -0600
Subject: [PATCH 12/34] Update rfcs/text/0000-create-file-mach-o.md

Co-authored-by: Andrew Stucki <andrew.stucki@gmail.com>
---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index eea6992d27..020292a307 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -28,7 +28,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments                     |   object   |   Segment information for the file.                                         |
 |   file.mach-o.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
 |   file.mach-o.segments.name                |   keyword  |   Name of this segment.                                                     |
-|   file.mach-o.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
+|   file.mach-o.segments.vmsize              |   long  |   Memory size of this segment.                                              |
 |   file.mach-o.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
 |   file.mach-o.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
 |   file.mach-o.segments.sections            |   object   |   Section information for the segment of the file.                          |

From 805f6c571252a444b219b5c29a2f1508c3fa816e Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 23 Dec 2020 14:09:40 -0600
Subject: [PATCH 13/34] Update rfcs/text/0000-create-file-mach-o.md

Co-authored-by: Andrew Stucki <andrew.stucki@gmail.com>
---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 020292a307..f515294d37 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -30,7 +30,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.name                |   keyword  |   Name of this segment.                                                     |
 |   file.mach-o.segments.vmsize              |   long  |   Memory size of this segment.                                              |
 |   file.mach-o.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
-|   file.mach-o.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
+|   file.mach-o.segments.filesize            |   long  |   Amount of memory to map from the file.                                    |
 |   file.mach-o.segments.sections            |   object   |   Section information for the segment of the file.                          |
 |   file.mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
 |   file.mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |

From cd6a5e09ce5e4be5a33079f499dc85320f98059b Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 23 Dec 2020 14:09:46 -0600
Subject: [PATCH 14/34] Update rfcs/text/0000-create-file-mach-o.md

Co-authored-by: Andrew Stucki <andrew.stucki@gmail.com>
---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index f515294d37..4cd71fcaaf 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -29,7 +29,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   file.mach-o.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
 |   file.mach-o.segments.name                |   keyword  |   Name of this segment.                                                     |
 |   file.mach-o.segments.vmsize              |   long  |   Memory size of this segment.                                              |
-|   file.mach-o.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
+|   file.mach-o.segments.fileoff             |   long  |   File offset of this segment.                                              |
 |   file.mach-o.segments.filesize            |   long  |   Amount of memory to map from the file.                                    |
 |   file.mach-o.segments.sections            |   object   |   Section information for the segment of the file.                          |
 |   file.mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |

From cdd9766e629e5194ced7cb731459b3f2fce925eb Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 23 Dec 2020 14:10:00 -0600
Subject: [PATCH 15/34] Update rfcs/text/0000-create-file-mach-o.md

Co-authored-by: Eric Beahan <ebeahan@gmail.com>
---
 rfcs/text/0000-create-file-mach-o.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-mach-o.md
index 4cd71fcaaf..4cdf7d9323 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-mach-o.md
@@ -1,6 +1,6 @@
 # 0000: Create the Mach-O sub-field of the File fieldset
 
-- Stage: **0 (strawperson)**
+- Stage: **1 (proposal)**
 - Date: **TBD**
 
 Create the Mach Object (Mach-O) sub-field, of the `file` top-level fieldset. This document metadata can be used for malware research, as well as coding and other application development efforts.

From b8c02ce63190fb7ae1b42b5d06ccc3e4ccdb40aa Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Wed, 23 Dec 2020 14:13:58 -0600
Subject: [PATCH 16/34] renamed mach-o to macho

---
 ...le-mach-o.md => 0000-create-file-macho.md} | 54 +++++++++----------
 .../{mach-o/mach-o.yml => macho/macho.yml}    |  2 +-
 2 files changed, 28 insertions(+), 28 deletions(-)
 rename rfcs/text/{0000-create-file-mach-o.md => 0000-create-file-macho.md} (65%)
 rename rfcs/text/{mach-o/mach-o.yml => macho/macho.yml} (99%)

diff --git a/rfcs/text/0000-create-file-mach-o.md b/rfcs/text/0000-create-file-macho.md
similarity index 65%
rename from rfcs/text/0000-create-file-mach-o.md
rename to rfcs/text/0000-create-file-macho.md
index bb37aa2e0e..1420f4abfa 100644
--- a/rfcs/text/0000-create-file-mach-o.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -13,37 +13,37 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 
 |   Name                                     |   Type     |   Description                                                               |
 |--------------------------------------------|------------|-----------------------------------------------------------------------------|
-|   mach-o.cpu                          |   object   |   CPU information for the file.                                             |
-|   mach-o.cpu.architecture             |   keyword  |   CPU architecture target for the file.                                     |
-|   mach-o.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
-|   mach-o.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
-|   mach-o.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
-|   mach-o.headers                      |   object   |   Header information for the file.                                          |
-|   mach-o.headers.commands             |   object   |   Header load commands for the file.                                        |
-|   mach-o.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
-|   mach-o.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
-|   mach-o.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
-|   mach-o.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
-|   mach-o.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
-|   mach-o.segments                     |   object   |   Segment information for the file.                                         |
-|   mach-o.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
-|   mach-o.segments.name                |   keyword  |   Name of this segment.                                                     |
-|   mach-o.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
-|   mach-o.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
-|   mach-o.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
-|   mach-o.segments.sections            |   object   |   Section information for the segment of the file.                          |
-|   mach-o.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
-|   mach-o.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
-|   mach-o.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
-|   mach-o.segments.offset      |   keyword  |   Offset of the segment.                                             |
-|   mach-o.segment size     |   keyword  |   Segment limit size.                                            |
-|   mach-o.segment.flags     |   keyword  |   Segment flags.                                                 |
-|   mach-o.page_size                    |   long     |   Page size of the file.                                                    |
+|   macho.cpu                          |   object   |   CPU information for the file.                                             |
+|   macho.cpu.architecture             |   keyword  |   CPU architecture target for the file.                                     |
+|   macho.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
+|   macho.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
+|   macho.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
+|   macho.headers                      |   object   |   Header information for the file.                                          |
+|   macho.headers.commands             |   object   |   Header load commands for the file.                                        |
+|   macho.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
+|   macho.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
+|   macho.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
+|   macho.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
+|   macho.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
+|   macho.segments                     |   object   |   Segment information for the file.                                         |
+|   macho.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
+|   macho.segments.name                |   keyword  |   Name of this segment.                                                     |
+|   macho.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
+|   macho.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
+|   macho.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
+|   macho.segments.sections            |   object   |   Section information for the segment of the file.                          |
+|   macho.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
+|   macho.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
+|   macho.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
+|   macho.segments.offset      |   keyword  |   Offset of the segment.                                             |
+|   macho.segment size     |   keyword  |   Segment limit size.                                            |
+|   macho.segment.flags     |   keyword  |   Segment flags.                                                 |
+|   macho.page_size                    |   long     |   Page size of the file.                                                    |
 
 
 **Stage 1**  
 
-[New `mach-o.yml` candidate](mach-o/mach-o.yml)]
+[New `macho.yml` candidate](macho/macho.yml)]
 
 <!--
 Stage 3: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting.
diff --git a/rfcs/text/mach-o/mach-o.yml b/rfcs/text/macho/macho.yml
similarity index 99%
rename from rfcs/text/mach-o/mach-o.yml
rename to rfcs/text/macho/macho.yml
index bbad7ae5c1..79640e2b48 100644
--- a/rfcs/text/mach-o/mach-o.yml
+++ b/rfcs/text/macho/macho.yml
@@ -1,5 +1,5 @@
 ---
-- name: file.mach-o
+- name: macho
   title: Mach-O file information.
   group: 2
   description: >

From 72ee845104ab24e9c75c07869c913243c6fe3aad Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Wed, 23 Dec 2020 14:28:25 -0600
Subject: [PATCH 17/34] removed plurality from "header"

---
 rfcs/text/0000-create-file-macho.md | 14 +++++++-------
 rfcs/text/macho/macho.yml           |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 3d6a02d6dc..7c49eaf7fc 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -18,13 +18,13 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
 |   macho.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
 |   macho.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
-|   macho.headers                      |   object   |   Header information for the file.                                          |
-|   macho.headers.commands             |   object   |   Header load commands for the file.                                        |
-|   macho.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
-|   macho.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
-|   macho.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
-|   macho.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
-|   macho.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
+|   macho.header                      |   object   |   Header information for the file.                                          |
+|   macho.header.commands             |   object   |   Header load commands for the file.                                        |
+|   macho.header.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
+|   macho.header.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
+|   macho.header.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
+|   macho.header.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
+|   macho.header.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
 |   macho.segments                     |   object   |   Segment information for the file.                                         |
 |   macho.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
 |   macho.segments.name                |   keyword  |   Name of this segment.                                                     |
diff --git a/rfcs/text/macho/macho.yml b/rfcs/text/macho/macho.yml
index 79640e2b48..0006fa1b09 100644
--- a/rfcs/text/macho/macho.yml
+++ b/rfcs/text/macho/macho.yml
@@ -40,7 +40,7 @@
           level: extended
           example: ARM 64-bit
 
-    - name: headers
+    - name: header
       level: extended
       description: Header information for the file.
       type: object

From c6f20b2535031a7324500d742ddbfa2fbad79c85 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Wed, 23 Dec 2020 15:06:55 -0600
Subject: [PATCH 18/34] created usage doc

---
 rfcs/text/macho/docs/usage/macho.asciidoc | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 rfcs/text/macho/docs/usage/macho.asciidoc

diff --git a/rfcs/text/macho/docs/usage/macho.asciidoc b/rfcs/text/macho/docs/usage/macho.asciidoc
new file mode 100644
index 0000000000..f429a46c58
--- /dev/null
+++ b/rfcs/text/macho/docs/usage/macho.asciidoc
@@ -0,0 +1,19 @@
+[[ecs-macho-ussage]]
+=== Mach-O Usage
+
+--Description--
+
+[discrete]
+=== Mach-O Field Details
+| Field | Description | Level |
+| ---- | ---- | ----------- |
+| macho.cpu | CPU information for the file. | extended |
+| ... | ... | ... |
+| ... | ... | ... |
+| ... | ... | ... |
+
+[discrete]
+=== Field Reuse
+The `macho` fields are expected to be nested at: `dll.macho`, `file.macho`, `process.macho`.
+
+Note also that the `macho` fields are not expected to be used directly at the root of the events.

From bbd1afd679d41e6be5c94836c526bdd6341e02b6 Mon Sep 17 00:00:00 2001
From: Andrew Pease <peasead@gmail.com>
Date: Wed, 13 Jan 2021 14:48:37 -0600
Subject: [PATCH 19/34] removed header plurality, sections to flattened

---
 rfcs/text/0000-create-file-macho.md | 2 +-
 rfcs/text/macho/macho.yml           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 7c49eaf7fc..fa29c2c0b7 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -25,7 +25,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.header.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
 |   macho.header.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
 |   macho.header.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
-|   macho.segments                     |   object   |   Segment information for the file.                                         |
+|   macho.segments                     |   flattened   |   Segment information for the file.                                         |
 |   macho.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
 |   macho.segments.name                |   keyword  |   Name of this segment.                                                     |
 |   macho.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
diff --git a/rfcs/text/macho/macho.yml b/rfcs/text/macho/macho.yml
index 0006fa1b09..1bda474cf0 100644
--- a/rfcs/text/macho/macho.yml
+++ b/rfcs/text/macho/macho.yml
@@ -119,7 +119,7 @@
         - name: sections
           level: extended
           description: Section information for the segment of the file.
-          type: object
+          type: flattened
           fields:
             - name: flags
               description: Section flags for the segment of the file.

From e0e5a1a9d0d35dd22114eacfff2a9296893728bc Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Mon, 1 Feb 2021 15:01:46 -0600
Subject: [PATCH 20/34] changed macho.segments to nested

---
 rfcs/text/0000-create-file-macho.md | 2 +-
 rfcs/text/macho/macho.yml           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index fa29c2c0b7..5804a7889e 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -25,7 +25,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.header.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
 |   macho.header.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
 |   macho.header.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
-|   macho.segments                     |   flattened   |   Segment information for the file.                                         |
+|   macho.segments                     |   nested   |   Segment information for the file.                                         |
 |   macho.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
 |   macho.segments.name                |   keyword  |   Name of this segment.                                                     |
 |   macho.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
diff --git a/rfcs/text/macho/macho.yml b/rfcs/text/macho/macho.yml
index 1bda474cf0..d30fc41df7 100644
--- a/rfcs/text/macho/macho.yml
+++ b/rfcs/text/macho/macho.yml
@@ -84,7 +84,7 @@
     - name: segments
       level: extended
         description: Segment information for the file.
-      type: object
+      type: nested
       fields:
         - name: vmaddr
           description: Memory address of this segment.

From 689fa39e71ca90ccda3ed1e59aefa2b66828a514 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Mon, 1 Feb 2021 15:22:43 -0600
Subject: [PATCH 21/34] typo in segments.size

---
 rfcs/text/0000-create-file-macho.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 5804a7889e..f77321959b 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -36,7 +36,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
 |   macho.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
 |   macho.segments.offset      |   keyword  |   Offset of the segment.                                             |
-|   macho.segment size     |   keyword  |   Segment limit size.                                            |
+|   macho.segments.size     |   keyword  |   Segment limit size.                                            |
 |   macho.segment.flags     |   keyword  |   Segment flags.                                                 |
 |   macho.page_size                    |   long     |   Page size of the file.                                                    |
 

From ccf1b88cd63d6210b38f6ab8d605eff44d3b5fa7 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Mon, 1 Feb 2021 15:23:29 -0600
Subject: [PATCH 22/34] corrected segments.sections fieldtype

---
 rfcs/text/0000-create-file-macho.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index f77321959b..81b502e026 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -31,7 +31,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
 |   macho.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
 |   macho.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
-|   macho.segments.sections            |   object   |   Section information for the segment of the file.                          |
+|   macho.segments.sections            |   flattened   |   Section information for the segment of the file.                          |
 |   macho.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
 |   macho.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
 |   macho.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |

From 84bdb2eb0a8d431cb5a91ae4e885e5dc9102abbc Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Mon, 1 Feb 2021 15:25:11 -0600
Subject: [PATCH 23/34] added cdhash to RFC doc.

---
 rfcs/text/0000-create-file-macho.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 81b502e026..8d109b826a 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -39,6 +39,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.segments.size     |   keyword  |   Segment limit size.                                            |
 |   macho.segment.flags     |   keyword  |   Segment flags.                                                 |
 |   macho.page_size                    |   long     |   Page size of the file.                                                    |
+|   macho.cdhash                    |   keyword     |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.                                                    |
 
 
 **Stage 1**  

From c04977331ddd406ec3e6d18abcfd7d441ced3265 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Mon, 1 Feb 2021 15:26:02 -0600
Subject: [PATCH 24/34] Fixed segments.offset fieldtype

---
 rfcs/text/0000-create-file-macho.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 8d109b826a..096ff8443b 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -35,7 +35,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
 |   macho.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
 |   macho.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
-|   macho.segments.offset      |   keyword  |   Offset of the segment.                                             |
+|   macho.segments.offset      |   long  |   Offset of the segment.                                             |
 |   macho.segments.size     |   keyword  |   Segment limit size.                                            |
 |   macho.segment.flags     |   keyword  |   Segment flags.                                                 |
 |   macho.page_size                    |   long     |   Page size of the file.                                                    |

From 3fd0931362826c118cad89f5543cd0de58200c74 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Mon, 1 Feb 2021 15:27:26 -0600
Subject: [PATCH 25/34] typo on rfc doc for segments.flags

---
 rfcs/text/0000-create-file-macho.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 096ff8443b..a8b555492d 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -37,7 +37,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
 |   macho.segments.offset      |   long  |   Offset of the segment.                                             |
 |   macho.segments.size     |   keyword  |   Segment limit size.                                            |
-|   macho.segment.flags     |   keyword  |   Segment flags.                                                 |
+|   macho.segments.flags     |   keyword  |   Segment flags.                                                 |
 |   macho.page_size                    |   long     |   Page size of the file.                                                    |
 |   macho.cdhash                    |   keyword     |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.                                                    |
 

From a53a52b1cb94d895980225ea33e2f8cded17c2f4 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 3 Feb 2021 16:04:24 -0600
Subject: [PATCH 26/34] back to headers from header

---
 rfcs/text/0000-create-file-macho.md | 14 +++++++-------
 rfcs/text/macho/macho.yml           |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index a8b555492d..80d2595e5f 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -18,13 +18,13 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
 |   macho.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
 |   macho.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
-|   macho.header                      |   object   |   Header information for the file.                                          |
-|   macho.header.commands             |   object   |   Header load commands for the file.                                        |
-|   macho.header.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
-|   macho.header.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
-|   macho.header.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
-|   macho.header.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
-|   macho.header.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
+|   macho.headers                      |   object   |   Header information for the file.                                          |
+|   macho.headers.commands             |   object   |   Header load commands for the file.                                        |
+|   macho.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
+|   macho.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
+|   macho.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
+|   macho.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
+|   macho.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
 |   macho.segments                     |   nested   |   Segment information for the file.                                         |
 |   macho.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
 |   macho.segments.name                |   keyword  |   Name of this segment.                                                     |
diff --git a/rfcs/text/macho/macho.yml b/rfcs/text/macho/macho.yml
index d30fc41df7..8e9932bf36 100644
--- a/rfcs/text/macho/macho.yml
+++ b/rfcs/text/macho/macho.yml
@@ -40,7 +40,7 @@
           level: extended
           example: ARM 64-bit
 
-    - name: header
+    - name: headers
       level: extended
       description: Header information for the file.
       type: object

From 276acfeab2de2180ccbd5d8692b17a4e2c3060d8 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Tue, 9 Feb 2021 14:52:44 -0600
Subject: [PATCH 27/34] Update 0000-create-file-macho.md

`macho.headers` to nested
---
 rfcs/text/0000-create-file-macho.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 80d2595e5f..def799e735 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -18,8 +18,7 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.cpu.byte_order               |   keyword  |   CPU byte order for the file.                                              |
 |   macho.cpu.subtype                  |   keyword  |   CPU subtype for the file.                                                 |
 |   macho.cpu.type                     |   keyword  |   CPU type for the file.                                                    |
-|   macho.headers                      |   object   |   Header information for the file.                                          |
-|   macho.headers.commands             |   object   |   Header load commands for the file.                                        |
+|   macho.headers                      |   nested   |   Header information for the file.                                          |
 |   macho.headers.commands.number      |   long     |   Number of load commands for the Mach-O header.                            |
 |   macho.headers.commands.size        |   long     |   Size of load commands of the Mach-O header.                               |
 |   macho.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |

From d996d6f7e16ecc9bb267b0d720885cdc3de95cc3 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Tue, 9 Feb 2021 14:53:44 -0600
Subject: [PATCH 28/34] Update macho.yml

set `headers` to nested
---
 rfcs/text/macho/macho.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/macho/macho.yml b/rfcs/text/macho/macho.yml
index 8e9932bf36..814482bf01 100644
--- a/rfcs/text/macho/macho.yml
+++ b/rfcs/text/macho/macho.yml
@@ -43,7 +43,7 @@
     - name: headers
       level: extended
       description: Header information for the file.
-      type: object
+      type: nested
       fields:
         - name: commands
           level: extended

From fc30c23668206ffe6f7742ad41c1e9e893b3948e Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 10 Feb 2021 17:27:27 -0600
Subject: [PATCH 29/34] ecs housekeeping edits

---
 rfcs/text/macho/macho.yml | 257 +++++++++++++++++---------------------
 1 file changed, 115 insertions(+), 142 deletions(-)

diff --git a/rfcs/text/macho/macho.yml b/rfcs/text/macho/macho.yml
index 814482bf01..16b597a4b7 100644
--- a/rfcs/text/macho/macho.yml
+++ b/rfcs/text/macho/macho.yml
@@ -11,159 +11,132 @@
       - file
       - process
   fields:
-    - name: cpu
-      level: extended
-      description: CPU information for the file.
-      type: object
-      fields:
-        - name: architecture
-          description: CPU architecture target for the file.
-          type: keyword
-          level: extended
-          example: 64-bit
-
-        - name: byte_order
-          description: CPU byte order for the file.
-          type: keyword
-          level: extended
-          example: Little endian
-
-        - name: subtype
-          description: CPU subtype for the file.
-          type: keyword
-          level: extended
-          example: ARM (all) 64-bit
-
-        - name: type
-          description: CPU type for the file.
-          type: keyword
-          level: extended
-          example: ARM 64-bit
+
+    - name: cpu.architecture
+      description: CPU architecture target for the file.
+      type: keyword
+      level: extended
+      example: 64-bit
+
+    - name: cpu.byte_order
+      description: CPU byte order for the file.
+      type: keyword
+      level: extended
+      example: Little endian
+
+    - name: cpu.subtype
+      description: CPU subtype for the file.
+      type: keyword
+      level: extended
+      example: ARM (all) 64-bit
+
+    - name: cpu.type
+      description: CPU type for the file.
+      type: keyword
+      level: extended
+      example: ARM 64-bit
 
     - name: headers
       level: extended
       description: Header information for the file.
       type: nested
-      fields:
-        - name: commands
-          level: extended
-          description: Header load commands information for the file.
-          type: object
-          fields:
-            - name: number
-              description: Number of load commands for the Mach-O header.
-              type: long
-              level: extended
-              example: 23
-
-            - name: size
-              description: Size of load commands of the Mach-O header.
-              type: long
-              level: extended
-              format: bytes
-              example: 3888
-
-            - name: type
-              description: Type of the load commands for the Mach-O header.
-              type: keyword
-              level: extended
-              example: LC_SYMTAB, 0x2c
-
-        - name: magic
-          description: Magic field of the Mach-O header.
-          type: keyword
-          level: extended
-          example: 0xfeedfacf
-
-        - name: flags
-          description: Flags set in the Mach-O header.
-          type: keyword
-          level: extended
-          example: TWOLEVEL, 0x4000000
+
+    - name: headers.commands.number
+      description: Number of load commands for the Mach-O header.
+      type: long
+      level: extended
+      example: 23
+
+    - name: headers.commands.size
+      description: Size of load commands of the Mach-O header.
+      type: long
+      level: extended
+      format: bytes
+      example: 3888
+
+    - name: headers.commands.type
+      description: Type of the load commands for the Mach-O header.
+      type: keyword
+      level: extended
+      example: LC_SYMTAB, 0x2c
+
+    - name: headers.magic
+      description: Magic field of the Mach-O header.
+      type: keyword
+      level: extended
+      example: 0xfeedfacf
+
+    - name: headers.flags
+      description: Flags set in the Mach-O header.
+      type: keyword
+      level: extended
+      example: TWOLEVEL, 0x4000000
 
     - name: segments
       level: extended
-        description: Segment information for the file.
+      description: Segment information for the file.
       type: nested
-      fields:
-        - name: vmaddr
-          description: Memory address of this segment.
-          type: keyword
-          level: extended
-          example: 0x0
-
-        - name: name
-          description: Name of this segment.
-          type: keyword
-          level: extended
-          example: __TEXT, __DATA, __IMPORT
-
-        - name: vmsize
-          description: Memory size of this segment.
-          type: keyword
-          level: extended
-          example: 0x4c000
-
-        - name: fileoff
-          description: File offset of this segment.
-          type: keyword
-          level: extended
-          example: 0x0
-
-        - name: filesize
-          description: Amount of memory to map from the file.
-          type: keyword
-          level: extended
-          example: 0x4c000
-
-        - name: sections
-          level: extended
-          description: Section information for the segment of the file.
-          type: flattened
-          fields:
-            - name: flags
-              description: Section flags for the segment of the file.
-              type: keyword
-              level: extended
-              example: SECTION_ATTRIBUTES_USR, S_8BYTE_LITERALS
-
-            - name: name
-              description: Section name for the segment of the file.
-              type: keyword
-              level: extended
-              example: __objc_classname, __stub_helper
-
-            - name: type
-              description: Section type for the segment of the file.
-              type: keyword
-              level: extended
-              example: S_REGULAR, S_CSTRING_LITERALS
-
-        - name: offset
-          description: Offset of the segment.
-          type: long
-          format: bytes
-          level: extended
-          example: 0
-
-        - name: size
-          description: Segment limit size.
-          type: long
-          format: bytes
-          level: extended
-          example: 123456
-
-        - name: flags
-          description: Segment flags.
-          type: keyword
-          level: extended
-          example: 0x0
+
+    - name: segments.vmaddr
+      description: Memory address of this segment.
+      type: keyword
+      level: extended
+      example: 0x0
+
+    - name: segments.name
+      description: Name of this segment.
+      type: keyword
+      level: extended
+      example: __TEXT, __DATA, __IMPORT
+
+    - name: segments.vmsize
+      description: Memory size of this segment.
+      type: keyword
+      level: extended
+      example: 0x4c000
+
+    - name: segments.fileoff
+      description: File offset of this segment.
+      type: keyword
+      level: extended
+      example: 0x0
+
+    - name: segments.filesize
+      description: Amount of memory to map from the file.
+      type: keyword
+      level: extended
+      example: 0x4c000
+
+    - name: segments.sections
+      level: extended
+      description: Section information for the segment of the file.
+      type: flattened
+
+    - name: segments.offset
+      description: Offset of the segment.
+      type: long
+      format: bytes
+      level: extended
+      example: 0
+
+    - name: segments.size
+      description: Segment limit size.
+      type: long
+      format: bytes
+      level: extended
+      example: 123456
+
+    - name: segments.flags
+      description: Segment flags.
+      type: keyword
+      level: extended
+      example: 0x0
 
     - name: cdhash
-          description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file.
-          type: keyword
-          level: extended
-          example: 2035094a7065b29421e7a51f51db9bd61807c3628f210b1f8e667235777dc592
+      description: Code Digest (CD) SHA256 hash of the first 20-bytes of the file.
+      type: keyword
+      level: extended
+      example: 2035094a7065b29421e7a51f51db9bd61807c3628f210b1f8e667235777dc592
 
     - name: page_size
       description: Page size of the file.

From 442d212200d0637616688d824b3c5763441ce21d Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Tue, 16 Feb 2021 14:57:26 -0600
Subject: [PATCH 30/34] Update rfcs/text/0000-create-file-macho.md

Co-authored-by: Eric Beahan <ebeahan@gmail.com>
---
 rfcs/text/0000-create-file-macho.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index def799e735..6ca112c11b 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -1,6 +1,6 @@
 # 0000: Create the Mach-O sub-field of the File fieldset
 
-- Stage: **1 (proposal)**
+- Stage: **1 (draft)**
 - Date: **TBD**
 
 Create the Mach Object (Mach-O) sub-field, of the `file` top-level fieldset. This document metadata can be used for malware research, as well as coding and other application development efforts.

From a7ff6aeae7a396d29de4dee3bc6baee0fb052522 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Tue, 16 Feb 2021 14:58:11 -0600
Subject: [PATCH 31/34] Update rfcs/text/0000-create-file-macho.md

Co-authored-by: Eric Beahan <ebeahan@gmail.com>
---
 rfcs/text/0000-create-file-macho.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 6ca112c11b..0754784dc9 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -138,7 +138,7 @@ The following are the people that consulted on the contents of this RFC.
 
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
-* Stage 0: https://github.com/elastic/ecs/pull/1097
+* Stage 1: https://github.com/elastic/ecs/pull/1097
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN

From a96fd558a0e144438adc03029d4fa195f0fb4e4c Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Tue, 16 Feb 2021 15:02:57 -0600
Subject: [PATCH 32/34] Update rfcs/text/0000-create-file-macho.md

---
 rfcs/text/0000-create-file-macho.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 0754784dc9..0923a9b8d0 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -3,7 +3,7 @@
 - Stage: **1 (draft)**
 - Date: **TBD**
 
-Create the Mach Object (Mach-O) sub-field, of the `file` top-level fieldset. This document metadata can be used for malware research, as well as coding and other application development efforts.
+Create the Mach Object (Mach-O) sub-field, of the `file` or `process` top-level fieldsets. This document metadata can be used for malware research, as well as coding and other application development efforts.
 
 ## Fields
 

From 5177e2eced6d9ce922bb004aee9dcc9d5a4d6b3b Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Thu, 11 Mar 2021 16:06:01 -0600
Subject: [PATCH 33/34] Update rfcs/text/0000-create-file-macho.md

Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
---
 rfcs/text/0000-create-file-macho.md | 30 ++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 0923a9b8d0..84a62df919 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -24,19 +24,23 @@ This RFC is to create the Mach-O sub-field within the `file.` fieldset. This wil
 |   macho.headers.commands.type        |   keyword  |   Type of the load commands for the Mach-O header.                          |
 |   macho.headers.magic                |   keyword  |   Magic field of the Mach-O header.                                         |
 |   macho.headers.flags                |   keyword  |   Flags set in the Mach-O header.                                           |
-|   macho.segments                     |   nested   |   Segment information for the file.                                         |
-|   macho.segments.vmaddr              |   keyword  |   Memory address of this segment.                                           |
-|   macho.segments.name                |   keyword  |   Name of this segment.                                                     |
-|   macho.segments.vmsize              |   keyword  |   Memory size of this segment.                                              |
-|   macho.segments.fileoff             |   keyword  |   File offset of this segment.                                              |
-|   macho.segments.filesize            |   keyword  |   Amount of memory to map from the file.                                    |
-|   macho.segments.sections            |   flattened   |   Section information for the segment of the file.                          |
-|   macho.segments.sections.flags      |   keyword  |   Section flags for the segment of the file.                                |
-|   macho.segments.sections.name       |   keyword  |   Section name for the segment of the file.                                 |
-|   macho.segments.sections.type       |   keyword  |   Section type for the segment of the file.                                 |
-|   macho.segments.offset      |   long  |   Offset of the segment.                                             |
-|   macho.segments.size     |   keyword  |   Segment limit size.                                            |
-|   macho.segments.flags     |   keyword  |   Segment flags.                                                 |
+|   macho.segments                 |   nested   |   Segment information for the file.                   |
+|   macho.segments.name            |   keyword  |   Name of this segment.                               |
+|   macho.segments.physical_offset |   long     |   File offset of this segment.                        |
+|   macho.segments.physical_size   |   keyword  |   Amount of memory to map from the file.              |
+|   macho.segments.virtual_address |   keyword  |   Memory address of this segment.                     |
+|   macho.segments.virtual_size    |   keyword  |   Memory size of this segment.                        |
+|   macho.segments.sections        |   keyword  |   Section names contained in this segment.            |
+|   macho.sections                 |   nested   |   Section information for the segment of the file.    |
+|   macho.sections.name            |   keyword  |   Section name for the segment of the file.           |
+|   macho.sections.flags           |   keyword  |   Section flags for the segment of the file.          |
+|   macho.sections.type            |   keyword  |   Section type for the segment of the file.           |
+|   macho.sections.physical_offset |   long     |   Section List offset.                                |
+|   macho.sections.physical_size   |   long     |   Section List physical size.                         |
+|   macho.sections.virtual_address |   long     |   Section List virtual address.                       |
+|   macho.sections.virtual_size    |   long     |   Section List virtual size.                          |
+|   macho.sections.entropy         |   float    |   Shannon entropy calculation from the section.       |
+|   macho.sections.chi2            |   float    |   Chi-square probability distribution of the section. |
 |   macho.page_size                    |   long     |   Page size of the file.                                                    |
 |   macho.cdhash                    |   keyword     |   Code Digest (CD) SHA256 hash of the first 20-bytes of the file.                                                    |
 

From 1347c0d8af5753ea55074342e1c8903214887a0b Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Thu, 11 Mar 2021 16:06:13 -0600
Subject: [PATCH 34/34] Update rfcs/text/0000-create-file-macho.md

Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
---
 rfcs/text/0000-create-file-macho.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rfcs/text/0000-create-file-macho.md b/rfcs/text/0000-create-file-macho.md
index 84a62df919..51a97c6bdf 100644
--- a/rfcs/text/0000-create-file-macho.md
+++ b/rfcs/text/0000-create-file-macho.md
@@ -73,6 +73,7 @@ This type of data can be provided by logs from VirusTotal, Reversing Labs, Lockh
 * [Emerson FSF](https://github.com/EmersonElectricCo/fsf)
 * [Target Strelka](https://github.com/target/strelka)
 * [Lockheed Martin LAIKABOSS](https://github.com/lmco/laikaboss)
+* [LIEF Analysis Library](https://lief.quarkslab.com/doc/latest/api/python/macho.html)
 
 <!--
 Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.