defaults
Created by Brendan Chamberlain (@infosecB)
Description
The defaults binary is normally used to interact with the user defaults system, a database of macOS used to manage system settings much like the Windows Registry. The database can be abused by threat actors to change settings in attempt to evade defenses or to gain persistence.
| Created | Tactics | Tags |
|---|---|---|
| 2023-05-24 | Defense Evasion Discovery Persistence | gatekeeper firewall |
Paths
/usr/bin/defaults
Use Cases
Disable Gatekeeper’s auto rearm functionality
The following command can be used to disable Gatekeepers rearm functionality. This command requires root privileges.
sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO
Show mounted servers
Show all mounted servers on the desktop.
defaults read com.apple.finder "ShowMountedServersOnDesktop"
Add a login item to the current user
An attacker can use defaults to add a login hook in attempt to gain persistence. This command requires root privileges.
sudo defaults write /Library/Preferences/com.apple.loginwindow LoginHook gain_persistence.sh
Get Active Directory user info from Jamf Connect
Retrieve Active Directory user info from Jamf Connect defaults configuration.
defaults read com.jamf.connect.state
Enable Firewall
Enables macOS’ default firewall. This command requires root privileges.
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
Disable Firewall
Disables macOS’ default firewall. This command requires root privileges.
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0
Detections
- No detections at time of publishing