defaults #

Created by Brendan Chamberlain (@infosecB)

Description ##

The defaults binary is normally used to interact with the user defaults system, a database of macOS used to manage system settings much like the Windows Registry. The database can be abused by threat actors to change settings in attempt to evade defenses or to gain persistence.

Paths ##

• /usr/bin/defaults

Use Cases ##

Disable Gatekeeper’s auto rearm functionality ##

The following command can be used to disable Gatekeepers rearm functionality. This command requires root privileges.

sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO

Show mounted servers ##

Show all mounted servers on the desktop.

defaults read com.apple.finder "ShowMountedServersOnDesktop"

Add a login item to the current user ##

An attacker can use defaults to add a login hook in attempt to gain persistence. This command requires root privileges.

sudo defaults write /Library/Preferences/com.apple.loginwindow LoginHook gain_persistence.sh

Get Active Directory user info from Jamf Connect ##

Retrieve Active Directory user info from Jamf Connect defaults configuration.

defaults read com.jamf.connect.state

Detections ##

• No detections at time of publishing

Resources ##

• macOS defaults list: Uncomplete list of macOS defaults commands with demos

• Insistence on Persistence