mdfind #

Created by Chris Campbell (@texasbe2trill)

Description ##

mdfind to locate files on MacOS by searching a pre-built database. It is a command-line alternative to Spotlight in MacOS

Paths ##

• /usr/bin/mdfind

Use Cases ##

Use mdfind to provide live updates to the number of files matching the query ##

A bash or zsh oneliner can cause mdfind to provide an attacker with live updates to the number of files on a system.

mdfind -live passw

Use mdfind to search for AWS Keys ##

Allows an attacker to query the filesystem via the CommandLine/Terminal to search for AWS keys.

mdfind 'kMDItemTextContext == AKIA || kMDItemDisplayName = *AKIA* -onlyin ~'

Use mdfind to search for apps to infect ##

Allows an attacker to determine if specific applications are installed and can be leveraged

set appId to do shell script "mdfind kMDItemCFBundleIdentifier = '" & bundleId & "'"

Detections ##

• Jamf Protect: Detect activity related to mdfind used to search for stored AWS keys

Resources ##

• “Farming The Apple Orchards: Living off the Land Techniques” - Chris Ross & Cedric Owens

• “Zero-Day TCC bypass discovered in XCSSET malware” - Jaron Bradley, Ferdous Saljooki, Stuart Ashenbrenner