title: TCC Manipulation (T1548.006)
id: df00tech-t1548-006
status: experimental
description: "Adversaries manipulate or abuse macOS Transparency, Consent, and Control (TCC) to grant malicious processes elevated permissions without user consent. TCC controls access to camera, microphone, Full Disk Access, Screen Recording, and other sensitive resources. Techniques include: directly modifying the TCC SQLite database, injecting into existing processes that already have TCC entitlements, exploiting the limited process list to find TCC-entitled processes to hijack, or abusing MDM configuration profiles. Phil Stokes documented multiple TCC bypass techniques used by macOS malware."
references:
  - https://attack.mitre.org/techniques/T1548/006/
  - https://df00tech.com/detections/T1548.006
author: df00tech
date: 2026/04/21
tags:
  - attack.t1548.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System software updates that legitimately modify TCC database during migration
  - MDM enrollment processes modifying TCC settings via configuration profiles
  - tccd daemon (the TCC daemon) accessing its own database during normal operation
  - Privacy Reset operations during macOS upgrade or system migration
level: high