Created by ezaspy


The textutil binary is a command-line utility included in macOS that allows users to manipulate text files of various formats, using the mechanisms provided by the Cocoa text system. Formats include rtf, html, docx and others

2023-05-05Defense Evasion Collection Credential Accessbash oneliner textutil pbpaste clipboard


  • /usr/bin/textutil

Use Cases

Use the textutil to read several files and build a new file

A one-liner can load the content of multiple RTF files in a directory, concatenate their contents, and write the results out as a new file. This provides two sub-use-cases; one is building a malicious file from a collection of smaller files which could evade both network and host-based security controls as the traditional means of signature-based detection would be redundant; two is concatenating the content of several, potentially sensitive files before exfiltration. This command can also be looped to iterate a directory of files.

textutil -convert html Quote.doc secondQuote.doc

Capture clipboard content

By leveraging another command line tool, pbpaste, it is possible to write a one-liner which captures the content of the clipboard. If an attacker already has access to the system, the attacker could run this command to obtain sensitive information such as a password and then elevate their privileges or exfiltrate the information.

pbpaste | textutil -stdin -info > Clipboard.txt