Detect TCC Manipulation in IBM QRadar
Adversaries manipulate or abuse macOS Transparency, Consent, and Control (TCC) to grant malicious processes elevated permissions without user consent. TCC controls access to camera, microphone, Full Disk Access, Screen Recording, and other sensitive resources. Techniques include: directly modifying the TCC SQLite database, injecting into existing processes that already have TCC entitlements, exploiting the limited process list to find TCC-entitled processes to hijack, or abusing MDM configuration profiles. Phil Stokes documented multiple TCC bypass techniques used by macOS malware.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.006 TCC Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1548/006/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
"devicehostname" AS hostname,
QIDNAME(qid) AS event_name,
"Command" AS process_cmdline,
"ParentProcessName" AS parent_process,
CASE
WHEN (LOWER("Message") ILIKE '%tcc.db%' OR LOWER("Message") ILIKE '%com.apple.tcc%')
AND (LOWER("Message") ILIKE '%write%' OR LOWER("Message") ILIKE '%modify%' OR LOWER("Message") ILIKE '%open%')
AND LOWER("Message") NOT ILIKE '%tccd%'
AND LOWER("Message") NOT ILIKE '%syspolicyd%'
AND LOWER("Message") NOT ILIKE '%mdmclient%'
THEN 'TCC_DB_Unauthorized_Write'
WHEN LOWER("ProcessPath") ILIKE '%sqlite3%'
AND (LOWER("Command") ILIKE '%tcc.db%' OR LOWER("Command") ILIKE '%ktccservice%')
THEN 'TCC_SQLite_Direct_Access'
WHEN LOWER("Message") ILIKE '%ktccservicefulldiskaccess%'
OR LOWER("Message") ILIKE '%ktccservicescreencapture%'
OR LOWER("Message") ILIKE '%ktccservicecamera%'
THEN 'TCC_Service_Permission_Change'
ELSE 'Unknown'
END AS detection_type
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X Logs', 'Universal DSM')
AND starttime > NOW() - 86400000
AND (
(LOWER("Message") ILIKE '%tcc.db%' OR LOWER("Message") ILIKE '%com.apple.tcc%')
OR (LOWER("ProcessPath") ILIKE '%sqlite3%' AND LOWER("Command") ILIKE '%tcc%')
OR LOWER("Message") ILIKE '%ktccservicefulldiskaccess%'
OR LOWER("Message") ILIKE '%ktccservicescreencapture%'
)
AND LOWER("Message") NOT ILIKE '%tccd%'
ORDER BY starttime DESC
LAST 24 HOURSAQL query for IBM QRadar to detect TCC database manipulation on macOS endpoints. Identifies unauthorized writes to TCC.db files, sqlite3 direct access to TCC databases, and TCC service permission changes. Excludes known-good macOS system daemons (tccd, syspolicyd, mdmclient) from results.
Data Sources
Required Tables
False Positives & Tuning
- Corporate MDM solutions performing bulk TCC policy deployment may generate TCC_DB_Unauthorized_Write alerts if the MDM client process name is not in the exclusion list
- macOS App Store updates can trigger TCC permission re-evaluation that generates TCC_Service_Permission_Change events
- Legitimate database administration tools performing authorized TCC audits will match the TCC_SQLite_Direct_Access pattern
Other platforms for T1548.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Read TCC Database Contents
Expected signal: macOS Unified Log: sqlite3 accessing TCC.db. tccd may log the access attempt.
- Test 2Attempt Direct TCC Database Modification
Expected signal: macOS Unified Log: sqlite3 attempting write to TCC.db. tccd may log unauthorized modification attempt. On protected systems, operation will fail.
- Test 3Check TCC Reset and Privacy Permissions
Expected signal: tccutil command execution. sqlite3 read access to TCC.db.
Unlock Pro Content
Get the full detection package for T1548.006 including response playbook, investigation guide, and atomic red team tests.