← All Binaries

mdfind

mdfind to locate files on MacOS by searching a pre-built database. It is a command-line alternative to Spotlight in MacOS

Author: Chris Campbell (@texasbe2trill) Created: 2023-04-22
ReconnaissanceDiscoveryDefense Evasion bashzshonelinerosascriptxcsset

Paths

/usr/bin/mdfind

Example Use Cases

Use mdfind to provide live updates to the number of files matching the query

A bash or zsh oneliner can cause mdfind to provide an attacker with live updates to the number of files on a system.

mdfind -live passw
ReconnaissanceDiscovery bashzshoneliner

Use mdfind to search for AWS Keys

Allows an attacker to query the filesystem via the CommandLine/Terminal to search for AWS keys.

mdfind 'kMDItemTextContext == AKIA || kMDItemDisplayName = *AKIA* -onlyin ~'
ReconnaissanceDiscovery bashzshoneliner

Use mdfind to search for apps to infect

Allows an attacker to determine if specific applications are installed and can be leveraged

set appId to do shell script "mdfind kMDItemCFBundleIdentifier = '" & bundleId & "'"
ReconnaissanceDiscoveryDefense Evasion osascriptxcsset

Detections

Resources