T1548.006 TCC Manipulation Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1548.006 — TCC Database Manipulation detection (macOS)
// Requires macOS endpoints in Defender for Endpoint
// Part 1: Detect writes to TCC database files
let TCCDBWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ ("TCC.db", "com.apple.TCC.db")
    or FolderPath has_any ("/Library/Application Support/com.apple.TCC/",
                           "/Users/", "/private/var/")
        and (FileName endswith ".db" and FolderPath has "TCC")
| where ActionType in ("FileModified", "FileCreated")
| where InitiatingProcessFileName !in~ ("tccd", "syspolicyd", "mdmclient",
                                         "System Preferences", "SystemPreferences")
| extend DetectionType = "TCC_Database_Modified"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect sqlite3 accessing TCC database
let TCCSQLite = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sqlite3"
| where ProcessCommandLine has_any ("TCC.db", "com.apple.TCC", "kTCCService")
| extend DetectionType = "TCC_SQLite_Direct_Access"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect process injection into TCC-privileged processes
let TCCProcessInject = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("Finder", "Terminal", "Preview",
                                        "Safari", "Mail", "Calendar")
| where FileName in~ ("python", "python3", "perl", "ruby", "bash", "sh",
                      "osascript", "curl", "nc")
| where InitiatingProcessCommandLine !has ProcessCommandLine // Spawn not from parent's expected cmds
| extend DetectionType = "TCC_Privileged_Process_Spawn"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
union TCCDBWrite, TCCSQLite, TCCProcessInject
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Modification Process: Process Creation Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

System software updates that legitimately modify TCC database during migration
MDM enrollment processes modifying TCC settings via configuration profiles
tccd daemon (the TCC daemon) accessing its own database during normal operation
Privacy Reset operations during macOS upgrade or system migration

Splunk

spl

index=mac_logs (sourcetype="macos:unified_log" OR sourcetype="macos:syslog" OR sourcetype="syslog")
| eval detection_type=case(
    match(_raw, "(?i)(TCC\.db|com\.apple\.TCC)") AND
      match(_raw, "(?i)(write|modify|open|sqlite)") AND
      NOT match(_raw, "(?i)(tccd|syspolicyd|mdmclient)"),
      "TCC_DB_Unauthorized_Access",
    match(_raw, "(?i)sqlite3") AND match(_raw, "(?i)(TCC\.db|kTCCService)"),
      "TCC_SQLite_Access",
    match(_raw, "(?i)(tccd|TCC)") AND
      match(_raw, "(?i)(kTCCServiceFullDiskAccess|kTCCServiceScreenCapture|kTCCServiceCamera)") AND
      NOT match(_raw, "(?i)(allowed|deny|user_approved)"),
      "TCC_Service_Modification",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, user, detection_type, _raw
| sort - _time

high severity low confidence

Data Sources

File: File Modification Process: Process Creation macOS Unified Log

Required Sourcetypes

macos:unified_log macos:syslog syslog

False Positives

System updates legitimately migrating TCC database
MDM profile deployments modifying TCC entries via mdmclient
Privacy Reset operations during macOS upgrades

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.action in ("creation", "overwrite", "modification") and
   (file.name in ("TCC.db", "com.apple.TCC.db") or
    (file.path like "/*/com.apple.TCC/*" and file.extension == "db")) and
   not process.name in ("tccd", "syspolicyd", "mdmclient", "System Preferences", "SystemPreferences")]
  [process where event.type == "start" and
   process.name == "sqlite3" and
   process.args : ("*TCC.db*", "*com.apple.TCC*", "*kTCCService*")]
until [process where process.name == "tccd"]
|
union
  (file where event.action in ("creation", "overwrite", "modification") and
   (file.name in ("TCC.db", "com.apple.TCC.db") or
    (file.path like "/*/com.apple.TCC/*" and file.extension == "db")) and
   not process.name in ("tccd", "syspolicyd", "mdmclient", "System Preferences", "SystemPreferences")),
  (process where event.type == "start" and
   process.name == "sqlite3" and
   process.args : ("*TCC.db*", "*com.apple.TCC*", "*kTCCService*")),
  (process where event.type == "start" and
   process.parent.name in ("Finder", "Terminal", "Preview", "Safari", "Mail", "Calendar") and
   process.name in ("python", "python3", "perl", "ruby", "bash", "sh", "osascript", "curl", "nc"))

high severity medium confidence

Data Sources

Elastic Endpoint Security (macOS) Elastic Agent macOS auditd logs

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Legitimate MDM/EMM solutions (Jamf, Mosyle, Kandji) that modify TCC configurations during device enrollment or policy deployment
macOS system updates or major OS upgrades that rebuild TCC databases as part of the migration process
Enterprise IT scripts using sqlite3 to audit or back up TCC permission state for compliance reporting

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "devicehostname" AS hostname,
  QIDNAME(qid) AS event_name,
  "Command" AS process_cmdline,
  "ParentProcessName" AS parent_process,
  CASE
    WHEN (LOWER("Message") ILIKE '%tcc.db%' OR LOWER("Message") ILIKE '%com.apple.tcc%')
     AND (LOWER("Message") ILIKE '%write%' OR LOWER("Message") ILIKE '%modify%' OR LOWER("Message") ILIKE '%open%')
     AND LOWER("Message") NOT ILIKE '%tccd%'
     AND LOWER("Message") NOT ILIKE '%syspolicyd%'
     AND LOWER("Message") NOT ILIKE '%mdmclient%'
    THEN 'TCC_DB_Unauthorized_Write'
    WHEN LOWER("ProcessPath") ILIKE '%sqlite3%'
     AND (LOWER("Command") ILIKE '%tcc.db%' OR LOWER("Command") ILIKE '%ktccservice%')
    THEN 'TCC_SQLite_Direct_Access'
    WHEN LOWER("Message") ILIKE '%ktccservicefulldiskaccess%'
     OR LOWER("Message") ILIKE '%ktccservicescreencapture%'
     OR LOWER("Message") ILIKE '%ktccservicecamera%'
    THEN 'TCC_Service_Permission_Change'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X Logs', 'Universal DSM')
  AND starttime > NOW() - 86400000
  AND (
    (LOWER("Message") ILIKE '%tcc.db%' OR LOWER("Message") ILIKE '%com.apple.tcc%')
    OR (LOWER("ProcessPath") ILIKE '%sqlite3%' AND LOWER("Command") ILIKE '%tcc%')
    OR LOWER("Message") ILIKE '%ktccservicefulldiskaccess%'
    OR LOWER("Message") ILIKE '%ktccservicescreencapture%'
  )
  AND LOWER("Message") NOT ILIKE '%tccd%'
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Apple macOS Unified Log via QRadar Universal DSM macOS endpoint syslog forwarded to QRadar

Required Tables

events

False Positives

Corporate MDM solutions performing bulk TCC policy deployment may generate TCC_DB_Unauthorized_Write alerts if the MDM client process name is not in the exclusion list
macOS App Store updates can trigger TCC permission re-evaluation that generates TCC_Service_Permission_Change events
Legitimate database administration tools performing authorized TCC audits will match the TCC_SQLite_Direct_Access pattern

Sumo Logic CSE

sql

_sourceCategory=macos* OR _sourceCategory=endpoint/mac*
| where !(_raw matches /(?i)(tccd|syspolicyd|mdmclient)/)
| parse regex field=_raw "(?P<process_name>[\w\.\-]+)\[(?P<pid>\d+)\]" nodrop
| parse regex field=_raw "(?P<file_path>/[\w/\.\-]+TCC[\w/\.\-]*\.db)" nodrop
| parse regex field=_raw "(?P<command_line>sqlite3[^\n]+)" nodrop
| eval detection_type = if(
    _raw matches /(?i)(TCC\.db|com\.apple\.TCC)/ &&
    _raw matches /(?i)(write|modify|created|open)/ &&
    !(_raw matches /(?i)(tccd|syspolicyd|mdmclient)/),
    "TCC_DB_Unauthorized_Access",
  if(
    _raw matches /(?i)sqlite3/ &&
    _raw matches /(?i)(TCC\.db|kTCCService)/,
    "TCC_SQLite_Direct_Access",
  if(
    _raw matches /(?i)(kTCCServiceFullDiskAccess|kTCCServiceScreenCapture|kTCCServiceCamera|kTCCServiceMicrophone)/ &&
    !(_raw matches /(?i)(allowed|user_approved|deny)/),
    "TCC_Service_Permission_Change",
  null()
  )))
| where !isNull(detection_type)
| withtime _messageTime
| timeslice 1h
| count by _timeslice, _sourceHost, _sourceCategory, detection_type, process_name, file_path
| sort by _timeslice desc

high severity medium confidence

Data Sources

macOS Unified Log (log stream output forwarded to Sumo Logic) macOS syslog via Sumo Logic Installed Collector

Required Tables

macOS endpoint log sources with _sourceCategory matching macos or endpoint/mac

False Positives

Legitimate privacy preference change requests initiated by users in System Preferences will generate TCC_Service_Permission_Change events
Security products (EDR/AV) that enumerate TCC permissions for compliance checking may match the sqlite3 access pattern
macOS Migration Assistant during user profile transfers reads and writes TCC databases as part of the data migration process

Google Chronicle / SecOps

yaral

rule tcc_manipulation_detection {
  meta:
    author = "Argus Detection Platform"
    description = "Detects macOS TCC database manipulation — T1548.006. Covers unauthorized TCC.db writes, sqlite3 direct access to TCC databases, and suspicious spawning from TCC-privileged processes."
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548.006"
    severity = "HIGH"
    confidence = "MEDIUM"
    platforms = "macOS"
    version = "1.0"

  events:
    (
      // Branch 1: Unauthorized write to TCC database
      $e1.metadata.event_type = "FILE_MODIFICATION"
      and (
        re.regex($e1.target.file.full_path, `/Library/Application Support/com\.apple\.TCC/TCC\.db`)
        or re.regex($e1.target.file.full_path, `/private/var/.*com\.apple\.TCC.*\.db`)
      )
      and not re.regex($e1.principal.process.file.full_path, `/(tccd|syspolicyd|mdmclient|SystemPreferences)$`)
      and $e1.metadata.vendor_name = "APPLE"
    )
    or
    (
      // Branch 2: sqlite3 direct TCC database access
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `/sqlite3$`)
      and (
        re.regex($e1.target.process.command_line, `TCC\.db`)
        or re.regex($e1.target.process.command_line, `com\.apple\.TCC`)
        or re.regex($e1.target.process.command_line, `kTCCService`)
      )
    )
    or
    (
      // Branch 3: Suspicious child spawn from TCC-privileged app
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `/(Finder|Terminal|Preview|Safari|Mail|Calendar)\.app/`)
      and re.regex($e1.target.process.file.full_path, `/(python3?|perl|ruby|bash|sh|osascript|curl|nc)$`)
    )

  condition:
    $e1
}

high severity medium confidence

Data Sources

Chronicle UDM events from macOS endpoints via Chronicle Forwarder or Google Security Operations agent

Required Tables

UDM events: FILE_MODIFICATION, PROCESS_LAUNCH from macOS endpoint telemetry

False Positives

Enterprise MDM platforms (Jamf Pro, Workspace ONE) that push TCC privacy preference policy payloads will modify TCC.db during policy application — scope exclusions by MDM process names
Developer workflows involving Xcode or iOS simulator that legitimately use sqlite3 to inspect application permission states during testing
AppleScript automation via osascript launched from Finder for legitimate user-created automations or third-party app launchers

CrowdStrike LogScale (CQL)

cql

// T1548.006 — TCC Manipulation Detection
// Branch 1: TCC Database unauthorized file writes
#event_simpleName=FileOpenInfo OR #event_simpleName=WriteProcessMemory
| TargetFileName = /TCC\.db|com\.apple\.TCC/i
| ImageFileName != /\/tccd$|\/syspolicyd$|\/mdmclient$|\/System Preferences\.app/i
| table([_time, ComputerName, UserName, ImageFileName, TargetFileName, CommandLine])
| rename(field="ImageFileName", as="process_path")
| rename(field="TargetFileName", as="tcc_file")
| rename(field="CommandLine", as="cmdline")
| eval detection_type="TCC_DB_Unauthorized_Write"

// Branch 2: sqlite3 accessing TCC databases
| union [
#event_simpleName=ProcessRollup2
| ImageFileName = /\/sqlite3$/i
| CommandLine = /TCC\.db|com\.apple\.TCC|kTCCService/i
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])
| rename(field="ImageFileName", as="process_path")
| rename(field="CommandLine", as="cmdline")
| eval detection_type="TCC_SQLite_Direct_Access"
]

// Branch 3: Suspicious child process from TCC-privileged apps
| union [
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(Finder|Terminal|Preview|Safari|Mail|Calendar)$/i
| ImageFileName = /\/(python3?|perl|ruby|bash|sh|osascript|curl|nc)$/i
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentProcessId, TargetProcessId])
| rename(field="ImageFileName", as="process_path")
| rename(field="CommandLine", as="cmdline")
| eval detection_type="TCC_Privileged_Process_Spawn"
]

| groupBy([ComputerName, UserName, detection_type, process_path, cmdline], function=count(as=event_count))
| sort(field=event_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor macOS endpoint telemetry Falcon FileVantage for file event monitoring

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=FileOpenInfo #event_simpleName=WriteProcessMemory

False Positives

Legitimate macOS system administrators using sqlite3 via Terminal to audit TCC permission state — consider contextual baselining by user account and time-of-day
Third-party privacy management tools (e.g., Privacy Cleaner, TCC permission managers from the App Store) that query and display TCC permissions to end users
Automated build and CI systems using macOS agents where test harnesses reset application permissions between test runs using sqlite3 commands

TCC Manipulation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections