Detect TCC Manipulation in Elastic Security
Adversaries manipulate or abuse macOS Transparency, Consent, and Control (TCC) to grant malicious processes elevated permissions without user consent. TCC controls access to camera, microphone, Full Disk Access, Screen Recording, and other sensitive resources. Techniques include: directly modifying the TCC SQLite database, injecting into existing processes that already have TCC entitlements, exploiting the limited process list to find TCC-entitled processes to hijack, or abusing MDM configuration profiles. Phil Stokes documented multiple TCC bypass techniques used by macOS malware.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.006 TCC Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1548/006/
Elastic Detection Query
sequence by host.name with maxspan=5m
[file where event.action in ("creation", "overwrite", "modification") and
(file.name in ("TCC.db", "com.apple.TCC.db") or
(file.path like "/*/com.apple.TCC/*" and file.extension == "db")) and
not process.name in ("tccd", "syspolicyd", "mdmclient", "System Preferences", "SystemPreferences")]
[process where event.type == "start" and
process.name == "sqlite3" and
process.args : ("*TCC.db*", "*com.apple.TCC*", "*kTCCService*")]
until [process where process.name == "tccd"]
|
union
(file where event.action in ("creation", "overwrite", "modification") and
(file.name in ("TCC.db", "com.apple.TCC.db") or
(file.path like "/*/com.apple.TCC/*" and file.extension == "db")) and
not process.name in ("tccd", "syspolicyd", "mdmclient", "System Preferences", "SystemPreferences")),
(process where event.type == "start" and
process.name == "sqlite3" and
process.args : ("*TCC.db*", "*com.apple.TCC*", "*kTCCService*")),
(process where event.type == "start" and
process.parent.name in ("Finder", "Terminal", "Preview", "Safari", "Mail", "Calendar") and
process.name in ("python", "python3", "perl", "ruby", "bash", "sh", "osascript", "curl", "nc"))Detects macOS TCC database manipulation via unauthorized file writes to TCC.db, direct sqlite3 access to TCC databases, and suspicious child process spawning from TCC-privileged applications. Covers three main attack vectors: direct DB modification, SQL injection into TCC, and process hijacking of TCC-entitled processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate MDM/EMM solutions (Jamf, Mosyle, Kandji) that modify TCC configurations during device enrollment or policy deployment
- macOS system updates or major OS upgrades that rebuild TCC databases as part of the migration process
- Enterprise IT scripts using sqlite3 to audit or back up TCC permission state for compliance reporting
Other platforms for T1548.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Read TCC Database Contents
Expected signal: macOS Unified Log: sqlite3 accessing TCC.db. tccd may log the access attempt.
- Test 2Attempt Direct TCC Database Modification
Expected signal: macOS Unified Log: sqlite3 attempting write to TCC.db. tccd may log unauthorized modification attempt. On protected systems, operation will fail.
- Test 3Check TCC Reset and Privacy Permissions
Expected signal: tccutil command execution. sqlite3 read access to TCC.db.
Unlock Pro Content
Get the full detection package for T1548.006 including response playbook, investigation guide, and atomic red team tests.