Detect TCC Manipulation in Sumo Logic CSE
Adversaries manipulate or abuse macOS Transparency, Consent, and Control (TCC) to grant malicious processes elevated permissions without user consent. TCC controls access to camera, microphone, Full Disk Access, Screen Recording, and other sensitive resources. Techniques include: directly modifying the TCC SQLite database, injecting into existing processes that already have TCC entitlements, exploiting the limited process list to find TCC-entitled processes to hijack, or abusing MDM configuration profiles. Phil Stokes documented multiple TCC bypass techniques used by macOS malware.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.006 TCC Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1548/006/
Sumo Detection Query
_sourceCategory=macos* OR _sourceCategory=endpoint/mac*
| where !(_raw matches /(?i)(tccd|syspolicyd|mdmclient)/)
| parse regex field=_raw "(?P<process_name>[\w\.\-]+)\[(?P<pid>\d+)\]" nodrop
| parse regex field=_raw "(?P<file_path>/[\w/\.\-]+TCC[\w/\.\-]*\.db)" nodrop
| parse regex field=_raw "(?P<command_line>sqlite3[^\n]+)" nodrop
| eval detection_type = if(
_raw matches /(?i)(TCC\.db|com\.apple\.TCC)/ &&
_raw matches /(?i)(write|modify|created|open)/ &&
!(_raw matches /(?i)(tccd|syspolicyd|mdmclient)/),
"TCC_DB_Unauthorized_Access",
if(
_raw matches /(?i)sqlite3/ &&
_raw matches /(?i)(TCC\.db|kTCCService)/,
"TCC_SQLite_Direct_Access",
if(
_raw matches /(?i)(kTCCServiceFullDiskAccess|kTCCServiceScreenCapture|kTCCServiceCamera|kTCCServiceMicrophone)/ &&
!(_raw matches /(?i)(allowed|user_approved|deny)/),
"TCC_Service_Permission_Change",
null()
)))
| where !isNull(detection_type)
| withtime _messageTime
| timeslice 1h
| count by _timeslice, _sourceHost, _sourceCategory, detection_type, process_name, file_path
| sort by _timeslice descSumo Logic query to detect macOS TCC database manipulation. Parses macOS unified logs and syslog to identify unauthorized TCC.db file access, sqlite3 queries against TCC databases, and attempts to modify sensitive TCC service entitlements (Full Disk Access, Screen Capture, Camera, Microphone). Excludes legitimate macOS TCC daemons.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate privacy preference change requests initiated by users in System Preferences will generate TCC_Service_Permission_Change events
- Security products (EDR/AV) that enumerate TCC permissions for compliance checking may match the sqlite3 access pattern
- macOS Migration Assistant during user profile transfers reads and writes TCC databases as part of the data migration process
Other platforms for T1548.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Read TCC Database Contents
Expected signal: macOS Unified Log: sqlite3 accessing TCC.db. tccd may log the access attempt.
- Test 2Attempt Direct TCC Database Modification
Expected signal: macOS Unified Log: sqlite3 attempting write to TCC.db. tccd may log unauthorized modification attempt. On protected systems, operation will fail.
- Test 3Check TCC Reset and Privacy Permissions
Expected signal: tccutil command execution. sqlite3 read access to TCC.db.
Unlock Pro Content
Get the full detection package for T1548.006 including response playbook, investigation guide, and atomic red team tests.