T1548.006 Google Chronicle · YARA-L

Detect TCC Manipulation in Google Chronicle

Adversaries manipulate or abuse macOS Transparency, Consent, and Control (TCC) to grant malicious processes elevated permissions without user consent. TCC controls access to camera, microphone, Full Disk Access, Screen Recording, and other sensitive resources. Techniques include: directly modifying the TCC SQLite database, injecting into existing processes that already have TCC entitlements, exploiting the limited process list to find TCC-entitled processes to hijack, or abusing MDM configuration profiles. Phil Stokes documented multiple TCC bypass techniques used by macOS malware.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.006 TCC Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1548/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule tcc_manipulation_detection {
  meta:
    author = "Argus Detection Platform"
    description = "Detects macOS TCC database manipulation — T1548.006. Covers unauthorized TCC.db writes, sqlite3 direct access to TCC databases, and suspicious spawning from TCC-privileged processes."
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548.006"
    severity = "HIGH"
    confidence = "MEDIUM"
    platforms = "macOS"
    version = "1.0"

  events:
    (
      // Branch 1: Unauthorized write to TCC database
      $e1.metadata.event_type = "FILE_MODIFICATION"
      and (
        re.regex($e1.target.file.full_path, `/Library/Application Support/com\.apple\.TCC/TCC\.db`)
        or re.regex($e1.target.file.full_path, `/private/var/.*com\.apple\.TCC.*\.db`)
      )
      and not re.regex($e1.principal.process.file.full_path, `/(tccd|syspolicyd|mdmclient|SystemPreferences)$`)
      and $e1.metadata.vendor_name = "APPLE"
    )
    or
    (
      // Branch 2: sqlite3 direct TCC database access
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `/sqlite3$`)
      and (
        re.regex($e1.target.process.command_line, `TCC\.db`)
        or re.regex($e1.target.process.command_line, `com\.apple\.TCC`)
        or re.regex($e1.target.process.command_line, `kTCCService`)
      )
    )
    or
    (
      // Branch 3: Suspicious child spawn from TCC-privileged app
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `/(Finder|Terminal|Preview|Safari|Mail|Calendar)\.app/`)
      and re.regex($e1.target.process.file.full_path, `/(python3?|perl|ruby|bash|sh|osascript|curl|nc)$`)
    )

  condition:
    $e1
}
high severity medium confidence

Chronicle YARA-L 2.0 rule to detect macOS TCC (Transparency, Consent, and Control) database manipulation. Identifies three detection vectors: unauthorized writes to TCC.db files by non-system processes, direct sqlite3 database access targeting TCC tables, and suspicious interpreter/shell spawning from TCC-privileged macOS applications that could indicate process injection or TCC entitlement hijacking.

Data Sources

Chronicle UDM events from macOS endpoints via Chronicle Forwarder or Google Security Operations agent

Required Tables

UDM events: FILE_MODIFICATION, PROCESS_LAUNCH from macOS endpoint telemetry

False Positives & Tuning

  • Enterprise MDM platforms (Jamf Pro, Workspace ONE) that push TCC privacy preference policy payloads will modify TCC.db during policy application — scope exclusions by MDM process names
  • Developer workflows involving Xcode or iOS simulator that legitimately use sqlite3 to inspect application permission states during testing
  • AppleScript automation via osascript launched from Finder for legitimate user-created automations or third-party app launchers
Download portable Sigma rule (.yml)

Other platforms for T1548.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Read TCC Database Contents

    Expected signal: macOS Unified Log: sqlite3 accessing TCC.db. tccd may log the access attempt.

  2. Test 2Attempt Direct TCC Database Modification

    Expected signal: macOS Unified Log: sqlite3 attempting write to TCC.db. tccd may log unauthorized modification attempt. On protected systems, operation will fail.

  3. Test 3Check TCC Reset and Privacy Permissions

    Expected signal: tccutil command execution. sqlite3 read access to TCC.db.

Last updated: 2026-04-21 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1548.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud Access

Related Techniques

T1548Abuse Elevation Control MechanismT1553.001Gatekeeper BypassT1056.002GUI Input CaptureT1113Screen CaptureT1123Audio Capture

Same Tactic: Defense Evasion

Popular Detections