Created by Chris Campbell (@texasbe2trill)


mdfind to locate files on MacOS by searching a pre-built database. It is a command-line alternative to Spotlight in MacOS

2023-04-22Reconnaissance Discovery Defense Evasionbash zsh oneliner osascript XCSSET


  • /usr/bin/mdfind

Use Cases

Use mdfind to provide live updates to the number of files matching the query

A bash or zsh oneliner can cause mdfind to provide an attacker with live updates to the number of files on a system.

mdfind -live passw

Use mdfind to search for AWS Keys

Allows an attacker to query the filesystem via the CommandLine/Terminal to search for AWS keys.

mdfind 'kMDItemTextContext == AKIA || kMDItemDisplayName = *AKIA* -onlyin ~'

Use mdfind to search for apps to infect

Allows an attacker to determine if specific applications are installed and can be leveraged

set appId to do shell script "mdfind kMDItemCFBundleIdentifier = '" & bundleId & "'"


  • No detections at time of publishing