Skip to content
Threat Feed
medium advisory

macOS TCC Database Modification for Privacy Control Bypass

Adversaries may attempt to bypass macOS privacy controls by directly modifying the Transparency, Consent, and Control (TCC) SQLite database using sqlite3, potentially gaining unauthorized access to sensitive resources.

Attackers may attempt to evade macOS privacy controls by directly modifying the TCC (Transparency, Consent, and Control) database. The TCC database manages application permissions for sensitive resources like the camera, microphone, address book, and calendar. By using tools like sqlite3 to manipulate this database, adversaries can grant themselves unauthorized access to these resources. This technique has been observed in previous bypasses of the TCC framework, such as the vulnerability described in CVE-2020-9934. This is a post-exploitation technique that can be used to expand access after initial compromise.

Attack Chain

  1. Initial access is gained to the macOS system through an unrelated exploit (e.g., phishing, software vulnerability).
  2. The attacker executes a shell (e.g., bash, zsh) or scripting language (e.g., osascript, python) on the target system.
  3. The attacker uses sqlite3 to interact with the TCC database located at /*/Application Support/com.apple.TCC/TCC.db.
  4. The sqlite3 process modifies entries in the TCC database to grant unauthorized access to protected resources (camera, microphone, contacts, etc.).
  5. The attacker then executes an application that leverages the newly granted TCC permissions.
  6. The application accesses previously restricted resources without prompting the user for consent.
  7. The attacker exfiltrates the sensitive data obtained through unauthorized access.

Impact

Successful exploitation allows unauthorized access to sensitive user data protected by macOS privacy controls. This can lead to data theft, privacy violations, and further compromise of the system. This is a local privilege escalation, giving the attacker access to resources normally protected by TCC.

Recommendation

  • Deploy the Sigma rule Detect TCC Database Modification via sqlite3 to identify suspicious processes using sqlite3 to modify the TCC database.
  • Investigate any process execution events where sqlite3 is used with arguments targeting the TCC database (/*/Application Support/com.apple.TCC/TCC.db).
  • Monitor for unusual parent processes of sqlite3 such as scripting environments (osascript, bash, zsh, Terminal, Python*) as highlighted in the rule.
  • Investigate processes accessing protected resources (camera, microphone, contacts) without prior user consent.
  • Enable Elastic Defend integration to collect process execution data required for the detection rules.

Detection coverage 2

Detect TCC Database Modification via sqlite3

medium

Detects the use of sqlite3 to directly modify the TCC database, potentially bypassing macOS privacy controls.

sigma tactics: defense_evasion techniques: T1548.006 sources: process_creation, macos

Detect TCC Database Modification from Scripting Parent Process

medium

Detects sqlite3 modifying the TCC database with a scripting language as the parent process.

sigma tactics: defense_evasion techniques: T1548.006 sources: process_creation, macos

Detection queries are available on the platform. Get full rules →