{ "type": "bundle", "id": "bundle--4de51a81-b9a0-479e-8f0b-6813b31bc53b", "objects": [ { "type": "tool", "spec_version": "2.1", "id": "tool--fceec7c2-3093-4ab3-bc69-1defdc9ff795", "created": "2023-06-06T00:00:00.000Z", "modified": "2025-06-22T16:00:24.461202Z", "name": "log", "description": "The log command can be used to access system log messages from Apple Unified Logging (AUL). The tool can be used to inspect exiting logs, stream logs in realtime, and delete logs. This tool is normally used by system admins and application developers for troubleshooting purposes but can be used by an adversary to gain an understanding of the user's behavior or to cover up their tracks by deleting log messages.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/log/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--67276493-adb9-4dc4-b272-57296989dd4b", "created": "2023-05-24T00:00:00.000Z", "modified": "2025-06-22T16:00:24.461539Z", "name": "defaults", "description": "The defaults binary is normally used to interact with the user defaults system, a database of macOS used to manage system settings much like the Windows Registry. The database can be abused by threat actors to change settings in attempt to evade defenses or to gain persistence.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/defaults/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b380413d-5452-47ce-b963-7664dffbc268", "created": "2023-08-31T00:00:00.000Z", "modified": "2025-06-22T16:00:24.461652Z", "name": "systemsetup", "description": "systemsetup configures certain per-machine settings typically configured in the System Preferences application.\nThe systemsetup command requires at least \"admin\" privileges to run.\n", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/systemsetup/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d0e06c5a-183d-44ba-b712-2475f3bdb66a", "created": "2023-05-10T00:00:00.000Z", "modified": "2025-06-22T16:00:24.461746Z", "name": "open", "description": "The open command-line utility can be used to open files, folders, app, URLs or header files in their associate macOS app.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/open/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--6e1b838e-4344-413d-90ac-735d9b0dd115", "created": "2023-04-20T00:00:00.000Z", "modified": "2025-06-22T16:00:24.461836Z", "name": "ioreg", "description": "The I/O Kit registry (ioreg) is a useful binary that can be used to gather data such as detecting if a VM is used, getting USB device vendor names, checking if a screen is locked, etc.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/ioreg/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d0dc0191-4694-49d0-a5cb-6068f5bec249", "created": "2023-04-24T00:00:00.000Z", "modified": "2025-06-22T16:00:24.461924Z", "name": "security", "description": "security is a command-line utility included in macOS that allows users to interact with the Keychain app. Keychains allow users to manager passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/security/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--43c054a5-7615-44bb-9551-4ec01f084098", "created": "2023-08-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.46201Z", "name": "dsconfigad", "description": "This tool allows command-line configuration of the Active Directory Plug-in. dsconfigad has the same functionality for configuring the Active Directory plugin as the Directory Utility application. It requires \"admin\" privileges to the local workstation and to the Directory to make changes.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/dsconfigad/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--da4c1562-2f80-4e96-8a56-91378f6c802f", "created": "2023-11-17T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462101Z", "name": "say", "description": "This tool uses the Speech Synthesis manager to convert input text to audible speech and either play it through the sound output device chosen in System Preferences or save it to an AIFF file.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/say/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--5a2a4fbb-4ae0-4d0f-aff8-4f9978cfc00d", "created": "2023-05-16T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462187Z", "name": "profiles", "description": "Profiles on macOS are responsible for managing different types of profiles including configuration, provisioning, bootstraptoken, or enrollment. However, starting from macOS 11.0, this tool cannot be used for installing configuration profiles.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/profiles/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--97f067de-2c40-4dbe-9fe0-4bb0d5b8f619", "created": "2024-07-15T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462268Z", "name": "streamzip", "description": "streamzip is a system utility that can be utilized to compress data from \"stdin\" and write the data directly to \"stdout\", no temporary files are created. The tool can be used by malicious actors to collect and exfiltrate sensitive data without leaving staged data archive artifacts on disk.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/streamzip/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b618ee42-ffe6-43ef-b253-6d555b339cc9", "created": "2024-07-25T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462351Z", "name": "chflags", "description": "The chflags utility modifies the file flags of the listed files as \nspecified by the flags operand.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/chflags/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--cc97c58b-3d7e-43f0-93a0-bbf66a0d7958", "created": "2023-04-20T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462433Z", "name": "xattr", "description": "The xattr command can be used to display, modify or remove the extended attributes of one or more files, including directories and symbolic links. Extended attributes are arbitrary metadata stored with a file, but separate from the filesystem attributes (such as modification time or file size). The metadata is often a null-terminated UTF-8 string, but can also be arbitrary binary data. xattr can be used to bypass Gatekeeper.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/xattr/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d20cee5c-ff97-457f-82a2-965c4af3434c", "created": "2023-07-12T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462516Z", "name": "caffeinate", "description": "caffeinate creates assertions to alter system sleep behavior. If no assertion flags are specified, caffeinate creates an assertion to prevent idle sleep.\nIf a utility is specified, caffeinate creates the assertions on the utility's behalf, and those assertions will persist for the duration of the utility's execution.\nOtherwise, caffeinate creates the assertions directly, and those assertions will persist until caffeinate exits.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/caffeinate/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--109eb5e6-854e-4f84-9164-b56e3b27c0d4", "created": "2023-05-17T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462601Z", "name": "tclsh", "description": "tclsh is a shell-like utility that runs Tcl from standard input or a file. tclsh holds the \"com.apple.security.cs.disable-library-validation\" entitlement and is capable of loading arbitary plug-ins, framework, and libraries without requiring signed code.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/tclsh/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--0e61dd5c-4b7c-4632-b37a-04c75b2527f4", "created": "2023-06-21T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462686Z", "name": "scutil", "description": "scutil provides a command line interface to the dynamic store data maintained by configd. Interaction with this data (using the SystemConfiguration.framework SCDynamicStore APIs) is handled with a set of commands read from standard input.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/scutil/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--fcde7b8b-12af-40a2-bee7-33d590047c58", "created": "2023-04-27T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462768Z", "name": "screencapture", "description": "A tools that allows users to take screenshots of their desktop or specific app windows. The tool can be used by malicious actors to collect sensitve information from the targeted system.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/screencapture/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d614a7c0-892b-4358-80e6-c75d4bc6adf9", "created": "2023-05-07T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462851Z", "name": "plutil", "description": "plutil is a command-line utility used for managing property list (.plist) files. These files are commonly used by macOS to store a app settings and other configuration info. The utility allows users to check the validity of plist files `plutil -lint`, convert plist files between XML and binary formats (plutil -convert), and add, modify or remove plist key value pairs.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/plutil/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7ba0c09b-e34a-4d95-80da-8723b3b0ae1b", "created": "2023-05-27T00:00:00.000Z", "modified": "2025-06-22T16:00:24.462935Z", "name": "launchctl", "description": "launchctl can be used to load, start, stop, and unload macOS services. It is a command-line frontend to launchd.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/launchctl/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d8c07eab-4b84-4638-ac39-9ea252b43e8a", "created": "2023-07-12T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463018Z", "name": "odutil", "description": "To look at internal state information for opendirectoryd, enable or disable logging, or change statistics settings.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/odutil/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--4a79abf0-4c0a-454e-ac3c-ae3a4e3ac0e5", "created": "2023-05-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463101Z", "name": "dsexport", "description": "dsexport is a command-line utility designed to export records from the directory services database on a local host or from a connected LDAP service. The tool can be used to gather information about users, groups, and computers. The tool can also be used to export the directory services database to a file for offline analysis.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/dsexport/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--8629f751-1f2e-4620-aab6-8ea483057a85", "created": "2023-05-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463185Z", "name": "nvram", "description": "Access and manage the host's non-volatile random-access memory (NVRAM).", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/nvram/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--bb8f114c-db65-4827-adda-0111053fb273", "created": "2023-06-28T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463269Z", "name": "mktemp", "description": "The mktemp binary located in \"usr/bin/mktemp\" can generate unique directory or file names and has historically been used to generate unique payloads.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/mktemp/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--ec70daf9-21b4-4636-b5ee-3101d74d4b2e", "created": "2023-07-30T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463359Z", "name": "kextstat", "description": "Deprecated tool in favor of kmutil. Lists loaded kernal extensions", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/kextstat/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--ac08a7bf-e3ee-405f-952d-8af0d2e1bfc8", "created": "2023-05-19T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463442Z", "name": "dns-sd", "description": "dns-sd can be used to interact with the Multicast DNS (mDNS) and DNS Service Discovery (DNS-SD) protocols. The tool is useful for administrators but can also be abused by malicious actors to discover local network services.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/dns-sd/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--523f95b4-2144-451c-a42a-22366dd4949c", "created": "2023-05-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463524Z", "name": "sqlite3", "description": "sqlite is a command-line utility that allows users to query and manage sqlite databases. Many components of macOS and apps used sqlite to store data. Attackers can leverage this tool to discover sensitive data.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/sqlite3/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--1f9be3d2-7c56-4131-b21a-abcb0347029c", "created": "2023-12-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463606Z", "name": "swift", "description": "The swift command is an interactive environment (REPL) for Swift.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/swift/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--5802792c-2175-4068-b746-f2733bdbf166", "created": "2023-04-22T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463689Z", "name": "networksetup", "description": "networksetup extensive tool for reading and setting various network configuration details useful for Discovery and Command and Control.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/networksetup/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--db320600-ee04-4280-9675-45b096f90342", "created": "2023-05-14T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463772Z", "name": "osacompile", "description": "osacompile is a utility used to compile scripts into executables. It's a component of Open Scripting Architecture (OSA) that Apple uses for its scripting languages, like AppleScript and JavaScript for Automation (JXA). osacompile accepts AppleScript code as input and produces a compiled script file, which can be either a script file (.scpt), an app (.app), a droplet, or a script bundle.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/osacompile/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--70d8285a-ef0c-4d55-a886-72338f79454f", "created": "2023-04-27T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463854Z", "name": "last", "description": "The command shows a list of user sessions including the user name, terminal used, host name, start and stop times, and duration. It also indicates if a session is still active or was terminated unexpectedly.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/last/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--3dd18d7d-61c2-4475-b35f-eb194e7cc04b", "created": "2023-04-11T00:00:00.000Z", "modified": "2025-06-22T16:00:24.463935Z", "name": "pbpaste", "description": "Retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/pbpaste/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--5a80c28e-6f0c-4f80-ba62-85a942fe0742", "created": "2023-07-12T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464016Z", "name": "system_profiler", "description": "system_profiler reports on the hardware and software configuration of the system. It can generate plain text reports or XML reports which can be opened with System Information.app", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/system_profiler/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--14ae4b32-b2ff-4ad8-a017-e1aff6b83fdd", "created": "2023-09-12T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464098Z", "name": "sfltool", "description": "sfltool allows interactions with the Shared File List framework, which can be used to modify application recent documents, favorites, and more.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/sfltool/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c847c126-0433-48c1-a05c-4bcb44a2dda1", "created": "2023-08-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464182Z", "name": "dscacheutil", "description": "dscacheutil does various operations against the Directory Service cache including gathering statistics, initiating lookups, inspection, cache flush, etc.\nThis tool replaces most of the functionality of the lookupd tool previously available in the OS.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/dscacheutil/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--f5fde139-fa04-414e-80e0-53bc1b0de1ca", "created": "2023-05-22T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464263Z", "name": "nscurl", "description": "macOS version of curl that is used to download files to a target without applying the quarantine extended attribute", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/nscurl/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c2927208-cebe-426f-b77e-8363a1d0b9a7", "created": "2023-09-11T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464344Z", "name": "sw_vers", "description": "sw_vers prints macOS version information, including the exact macOS version number.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/sw_vers/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--58bdb64b-e4ba-4340-b597-aca0beb86101", "created": "2023-04-25T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464428Z", "name": "softwareupdate", "description": "A command-line utility for running software updates.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/softwareupdate/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--815b2426-c58a-4086-9895-47d136b8a1ae", "created": "2023-05-20T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464511Z", "name": "safaridriver", "description": "safaridriver is a tool that is used to enable Selenium testing via the macOS WebDriver protocol. Once enabled, the WebDriver API could be abused by attackers to communicate with external servers for command and control or exfiltration purposes.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/safaridriver/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--0718bd0f-dd95-4c82-b1c2-aa46e1b9cda6", "created": "2023-04-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464592Z", "name": "SetFile", "description": "Uses the CommandLine/Terminal to set file and or directory attributes. It can set attributes, creator, creation date, modification date, and file type for multiple files at a time.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/SetFile/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--15db7c52-f091-44d0-afbc-8437a53d6e1e", "created": "2023-04-22T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464673Z", "name": "mdfind", "description": "mdfind to locate files on MacOS by searching a pre-built database. It is a command-line alternative to Spotlight in MacOS", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/mdfind/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c72f1196-8164-4a27-bbd2-fea98a6688a0", "created": "2023-05-01T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464755Z", "name": "tmutil", "description": "A tool for managing Time Machine, the native macOS backup utility.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/tmutil/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--27041615-8637-4b2b-9857-ebf0ba2f7828", "created": "2023-04-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464838Z", "name": "GetFileInfo", "description": "Uses the CommandLine/Terminal to return type, creator, attributes, created, and modified file information of a file or directory.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/GetFileInfo/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7d41423f-098d-452f-bfee-9c9d4bc1b546", "created": "2023-05-05T00:00:00.000Z", "modified": "2025-06-22T16:00:24.464921Z", "name": "textutil", "description": "The textutil binary is a command-line utility included in macOS that allows users to manipulate text files of various formats, using the mechanisms provided by the Cocoa text system. Formats include rtf, html, docx and others", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/textutil/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d8e368d7-21e9-478f-87d0-379265b479d8", "created": "2023-05-22T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465003Z", "name": "ssh-keygen", "description": "ssh-keygen is a tool for creating new authentication key pairs for SSH (Secure Shell). ssh-keygen holds the \"com.apple.security.cs.disable-library-validation\" entitlement and is capable of loading arbitrary libraries without requiring signed code.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/ssh-keygen/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--84572984-9844-4bb1-8e3e-40b218d3bad4", "created": "2024-07-29T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465085Z", "name": "codesign", "description": "The codesign command is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/codesign/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d0024b6e-813d-4f97-a928-52eac53f3d8c", "created": "2023-04-25T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465167Z", "name": "dscl", "description": "An extensive tool for communicating with the Directory Services, useful for Discovery.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/dscl/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--4150ad41-130d-43dd-a45f-d7e5edfeced5", "created": "2023-05-21T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465249Z", "name": "hdiutil", "description": "hdiutil manipulates disk images such as DMG and ISO files. You can mount, unmount, create, resize and verify disk images. Including encrypted images.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/hdiutil/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--e6177fdf-ac8a-4516-8416-b6c49034648e", "created": "2023-04-19T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465332Z", "name": "osascript", "description": "The osascript binary is a command-line utility included in macOS that allows users to run AppleScript and Open Scripting Architecture (OSA) scripts or commands. AppleScript is a scripting language that is designed for power users to automate various tasks, application actions, and to interact with the operating system.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/osascript/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d0705917-3ce9-46a9-bea9-47a72e3d9ead", "created": "2023-05-15T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465413Z", "name": "lsregister", "description": "lsregister is used to build, dump, and check the validity of the Launch Services database. This database is often abused to create custom URL scheme handlers that point to malicious apps.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/lsregister/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--cb414305-9a9f-4e3d-a339-05960376cb7d", "created": "2023-04-20T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465495Z", "name": "sysctl", "description": "Gets the macOS hardware information, which can be used to determine whether the target macOS host is running on a physical or virtual machine.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/sysctl/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--cdfcbfba-8f31-4147-8db0-d562fb32f2fb", "created": "2024-11-19T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465576Z", "name": "sysadminctl", "description": "sysadminctl can administer system user accounts. sysadminctl can be used to change user passwords, create new \nusers (including automatically provisioning the user home folder) or to check the status of a user's SecureToken.\n", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/sysadminctl/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b4bfa769-a67c-45a5-909f-97438241b957", "created": "2023-05-29T00:00:00.000Z", "modified": "2025-06-22T16:00:24.46569Z", "name": "mdls", "description": "mdls list file metadata across standard metadata (creation date, size), extended attribute (quarantine), and Spotlight APIs (Finder flags).", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/mdls/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--99c344af-f83f-4c6c-8a53-38bd67573ed4", "created": "2023-05-04T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465769Z", "name": "ditto", "description": "ditto is a command line utility that is commonly used to copy files and directories while preserving file attributes and permissions. The tool can be used by malicious actors to collect and exfiltrate sensitive data, move laterally, and/or perform DLL hijacking or binary replacement attacks.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/ditto/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b0bb330e-2048-4c3d-864f-c2f6beaa8d2e", "created": "2023-05-23T00:00:00.000Z", "modified": "2025-06-22T16:00:24.46585Z", "name": "spctl", "description": "Manage the security assessment policy subsystem, Gatekeeper settings, and control which apps are allowed to run on the system.", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/spctl/" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c6f3bb8c-fbf2-4154-a29a-3dc20c9e2f05", "created": "2023-05-14T00:00:00.000Z", "modified": "2025-06-22T16:00:24.465936Z", "name": "csrutil", "description": "Used to enable/disable SIP, configure netboot and authenticated-root settings", "labels": [ "living-off-the-land", "loobins" ], "external_references": [ { "source_name": "LOOBins", "description": "Living off the Orchard: macOS binaries.", "url": "https://www.loobins.io/binaries/csrutil/" } ] } ] }