defaults #

Created by Brendan Chamberlain (@infosecB)

Description ##

A full length description of the binary goes here.

Paths ##

• /usr/bin/defaults

Use Cases ##

Disable Gatekeeper’s auto rearm functionality ##

The following command can be used to disable Gatekeepers rearm functionality. This command requires root privileges.

sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO

Show mounted servers ##

Show all mounted servers on the desktop.

defaults read com.apple.finder "ShowMountedServersOnDesktop"

Add a login item to the current user ##

An attacker can use defaults to add a login hook in attempt to gain persistence. This command requires root privileges.

sudo defaults write /Library/Preferences/com.apple.loginwindow LoginHook gain_persistence.sh

Detections ##

• No detections at time of publishing

Resources ##

• macOS defaults list: Uncomplete list of macOS defaults commands with demos

• Insistence on Persistence