Title
#macos
a

allister

08/24/2020, 2:13 AM
it's in
mdls
info, likewise if you have santa it can give you the same info (although it would only get logged/scraped when it's an executable being launched, not unpacked from another artifact)
m

MaxosxOsquery

08/24/2020, 8:38 AM
Agree, quick note both mdls and extended_attributes table will not show the origin url if you use incognito/private mode to download the file
a

allister

08/24/2020, 12:06 PM
yup, it's circumventable a bunch of ways, for a while it was opt-in by e.g. chat clients and browsers for if they would implement applying the quarantine attribute, etc.