defaults.exe

  • File Path: C:\program files (x86)\Common Files\Apple\Apple Application Support\defaults.exe
  • Description: defaults

Hashes

Type Hash
MD5 0819315FB22BB3822910C04A98C5DF3C
SHA1 0AD18D9D8C62197363D360C2A968105555FFA031
SHA256 D665A7C8AD3694E98EB8427473227C33EDD0C8A9D76720C8E95895FE4E08407C
SHA384 422E5E4CF58A5CC9476157FBF8A49C7EF3F9F4772C3785727099F55441504FAD412C717ABFB410EF06D1508107545270
SHA512 B59EF0F6AC1BD9968EA03890C5FDEE34ACE4B9BB029A371A853C9F2A9D3F332368DAFE1DA68F05AC64070EA32EA3944D90C2E1296B2F530BA1E88935F1A32EDA
SSDEEP 768:/smkzxEFknEej9a7sMtodSnx/objqvp4wa0pt3hxQ:/smkzekpjUZtNgqB4wa0pt3hxQ

Runtime Data

Usage (stdout):

Command line interface to a user's defaults.
Syntax:

'defaults' [-currentHost | -host <hostname>] followed by one of the following:

  read                                 shows all defaults
  read <domain>                        shows defaults for given domain
  read <domain> <key>                  shows defaults for given domain, key

  read-type <domain> <key>             shows the type for the given domain, key

  write <domain> <domain_rep>          writes domain (overwrites existing)
  write <domain> <key> <value>         writes key for domain

  rename <domain> <old_key> <new_key>  renames old_key to new_key

  delete <domain>                      deletes domain
  delete <domain> <key>                deletes key in domain

  domains                              lists all domains
  find <word>                          lists all entries containing word
  help                                 print this help

<domain> is ( <domain_name> | -app <application_name> | -globalDomain )
         or a path to a file omitting the '.plist' extension

<value> is one of:
  <value_rep>
  -string <string_value>
  -data <hex_digits>
  -int[eger] <integer_value>
  -float  <floating-point_value>
  -bool[ean] (true | false | yes | no)
  -date <date_rep>
  -array <value1> <value2> ...
  -array-add <value1> <value2> ...
  -dict <key1> <value1> <key2> <value2> ...
  -dict-add <key1> <value1> ...

Loaded Modules:

Path
C:\program files (x86)\Common Files\Apple\Apple Application Support\defaults.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 4EF16586A2FF12D69C556EC4C91BAEE1
  • Thumbprint: 634A0D892E72161714861C178015AFE9C1832E14
  • Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  • Subject: CN=Apple Inc., O=Apple Inc., L=Cupertino, S=California, C=US

File Metadata

  • Original Filename: defaults.exe
  • Product Name: defaults
  • Company Name: Apple Inc.
  • File Version: 1,950,522,0
  • Product Version: 1,950,522,0
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2007-2011, Apple Inc.

Possible Misuse

The following table contains possible examples of defaults.exe being misused. While defaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_macos_system_network_discovery.yml Image: '/usr/bin/defaults' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
malware-ioc oceanlotus-macOS.misp.event.json "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir \/a<\/code> for Windows and <code>ls \u2013a<\/code> for Linux and macOS).\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.\n\n### Windows\n\nUsers can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename<\/code> to mark a file or folder as hidden. Similarly, the \u201c+s\u201d marks a file as a system file and the \u201c+r\u201d flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively \u201c\/S\u201d.\n\n### Linux\/Mac\n\nUsers can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES<\/code>, and then relaunch the Finder Application.\n\n### Mac\n\nFiles on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).\nMany applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.", © ESET 2014-2018
atomic-red-team T1016.md Using defaults, additional arguments can be added to see filtered details, such as globalstate for global configuration ("Is it on or off?"), firewall for common application allow rules, and explicitauths for specific rules configured by the user. MIT License. © 2018 Red Canary
atomic-red-team T1016.md sudo defaults read /Library/Preferences/com.apple.alf MIT License. © 2018 Red Canary
atomic-red-team T1037.002.md sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh MIT License. © 2018 Red Canary
atomic-red-team T1037.002.md defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh MIT License. © 2018 Red Canary
atomic-red-team T1047.md | node | Computer the action is being executed against but defaults to the localhost. | string | 127.0.0.1| MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md | obfuscated_code | Defaults to: Invoke-Expression with a “Write-Host” line. | String | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==| MIT License. © 2018 Red Canary
atomic-red-team T1543.002.md if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i ‘ID=”centos”’) ]; then chkconfig T1543.002 on ; else echo “Please run this test on Ubnutu , kali OR centos” ; fi ; MIT License. © 2018 Red Canary
atomic-red-team T1547.007.md Mac Defaults MIT License. © 2018 Red Canary
atomic-red-team T1547.007.md sudo defaults write com.apple.loginwindow LoginHook #{script} MIT License. © 2018 Red Canary
atomic-red-team T1547.007.md sudo defaults delete com.apple.loginwindow LoginHook MIT License. © 2018 Red Canary
atomic-red-team T1548.003.md In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1548.003.md sudo sh -c “echo Defaults “’!’“tty_tickets » /etc/sudoers” MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md defaults write com.apple.finder AppleShowAllFiles YES MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md defaults write com.apple.finder AppleShowAllFiles NO MIT License. © 2018 Red Canary
signature-base apt_eqgrp.yar $x5 = “-p DEST_PORT, –dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s2 = “You may enter between 1 and 6 ports to change the defaults.” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s0 = “port - Port to listen on, defaults to 2323” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “action=mysqlread&mass=loadmass">load all defaults” CC BY-NC 4.0
stockpile 10fad81e-3f68-47be-83b6-fbee7711c6a9.yml defaults to the current user's Recycle Bin (Windows) and /tmp (Linux). Payload files include default values for all Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.