Created by Chris Campbell (@texasbe2trill)
mdfind to locate files on MacOS by searching a pre-built database. It is a command-line alternative to Spotlight in MacOS
|2023-04-22||Reconnaissance Discovery Defense Evasion||bash zsh oneliner osascript XCSSET|
Use mdfind to provide live updates to the number of files matching the query
A bash or zsh oneliner can cause mdfind to provide an attacker with live updates to the number of files on a system.
mdfind -live passw
Use mdfind to search for AWS Keys
Allows an attacker to query the filesystem via the CommandLine/Terminal to search for AWS keys.
mdfind 'kMDItemTextContext == AKIA || kMDItemDisplayName = *AKIA* -onlyin ~'
Use mdfind to search for apps to infect
Allows an attacker to determine if specific applications are installed and can be leveraged
set appId to do shell script "mdfind kMDItemCFBundleIdentifier = '" & bundleId & "'"
- No detections at time of publishing