mdls

mdls list file metadata across standard metadata (creation date, size), extended attribute (quarantine), and Spotlight APIs (Finder flags).

Author: Daniel Stinson-Diess (@shellcromancer) Created: 2023-05-29

Defense Evasion Discovery Execution Collection genieo shlayer cleanmaster finder-comment spotlight payload-execution covert-storage

Paths

/usr/bin/mdls

Example Use Cases

Validate file download information

Use mdls to validate payload download sources and timestamps to guard against sandbox executions.

mdls -name "kMDItemWhereFroms" -name "kMDItemDownloadedDate"

Defense Evasion genieo shlayer

Query File Paths

Use mdls to print file paths and sizes when enumerating host resources.

xargs -0 mdls -n kMDItemPath -n kMDItemFSSize

Discovery cleanmaster

Extract and execute payload stored in Finder comment metadata

Every file on macOS has a Finder comment field stored as Spotlight metadata under the kMDItemFinderComment attribute. mdls can read this field and pipe its contents to a decoder and executor. Because the payload lives entirely in Spotlight metadata rather than file contents, it is not visible to file-based inspection or integrity monitoring tools. Finder comments can be written remotely via osascript over Remote Apple Events or SSH, making this a covert staging mechanism for lateral movement payloads.

mdls -name kMDItemFinderComment -raw ~/Desktop/payload_carrier.txt | base64 -D | bash

Execution Collection Defense Evasion finder-comment spotlight payload-execution covert-storage

Detections

No detections at time of publishing

Resources

Bad Apples: Weaponizing Native macOS Primitives for Movement and Execution

Acknowledgements

Ryan Conry (Cisco Talos, Finder comment payload extraction use case)