{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/privacy-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*","cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*","cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.5,"id":"CVE-2020-9934"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["privacy-bypass","defense-evasion","macos"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eAttackers may attempt to evade macOS privacy controls by directly modifying the TCC (Transparency, Consent, and Control) database. The TCC database manages application permissions for sensitive resources like the camera, microphone, address book, and calendar. By using tools like \u003ccode\u003esqlite3\u003c/code\u003e to manipulate this database, adversaries can grant themselves unauthorized access to these resources. This technique has been observed in previous bypasses of the TCC framework, such as the vulnerability described in CVE-2020-9934. This is a post-exploitation technique that can be used to expand access after initial compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained to the macOS system through an unrelated exploit (e.g., phishing, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a shell (e.g., \u003ccode\u003ebash\u003c/code\u003e, \u003ccode\u003ezsh\u003c/code\u003e) or scripting language (e.g., \u003ccode\u003eosascript\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e) on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esqlite3\u003c/code\u003e to interact with the TCC database located at \u003ccode\u003e/*/Application Support/com.apple.TCC/TCC.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esqlite3\u003c/code\u003e process modifies entries in the TCC database to grant unauthorized access to protected resources (camera, microphone, contacts, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker then executes an application that leverages the newly granted TCC permissions.\u003c/li\u003e\n\u003cli\u003eThe application accesses previously restricted resources without prompting the user for consent.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the sensitive data obtained through unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthorized access to sensitive user data protected by macOS privacy controls. This can lead to data theft, privacy violations, and further compromise of the system. This is a local privilege escalation, giving the attacker access to resources normally protected by TCC.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect TCC Database Modification via sqlite3\u003c/code\u003e to identify suspicious processes using \u003ccode\u003esqlite3\u003c/code\u003e to modify the TCC database.\u003c/li\u003e\n\u003cli\u003eInvestigate any process execution events where \u003ccode\u003esqlite3\u003c/code\u003e is used with arguments targeting the TCC database (\u003ccode\u003e/*/Application Support/com.apple.TCC/TCC.db\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual parent processes of \u003ccode\u003esqlite3\u003c/code\u003e such as scripting environments (\u003ccode\u003eosascript\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, \u003ccode\u003ezsh\u003c/code\u003e, \u003ccode\u003eTerminal\u003c/code\u003e, \u003ccode\u003ePython*\u003c/code\u003e) as highlighted in the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate processes accessing protected resources (camera, microphone, contacts) without prior user consent.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect process execution data required for the detection rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T07:44:00Z","date_published":"2026-05-26T07:44:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tcc-db-modification/","summary":"Adversaries may attempt to bypass macOS privacy controls by directly modifying the Transparency, Consent, and Control (TCC) SQLite database using sqlite3, potentially gaining unauthorized access to sensitive resources.","title":"macOS TCC Database Modification for Privacy Control Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-tcc-db-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Privacy-Bypass","version":"https://jsonfeed.org/version/1.1"}