mdls
Created by Daniel Stinson-Diess (@shellcromancer)
Description
mdls list file metadata across standard metadata (creation date, size), extended attribute (quarantine), and Spotlight APIs (Finder flags).
| Created | Tactics | Tags |
|---|---|---|
| 2023-05-29 | Defense Evasion Discovery | Genieo Shlayer CleanMaster |
Paths
/usr/bin/mdls
Use Cases
Validate file download information
Use mdls to validate payload download sources and timestamps to guard against sandbox executions.
mdls -name "kMDItemWhereFroms" -name "kMDItemDownloadedDate"
Query File Paths
Use mdls to print file paths and sizes when enumerating host resources.
xargs -0 mdls -n kMDItemPath -n kMDItemFSSize
Detections
- No detections at time of publishing