| ID | Name |
|---|---|
| T1548.001 | Setuid and Setgid |
| T1548.002 | Bypass User Account Control |
| T1548.003 | Sudo and Sudo Caching |
| T1548.004 | Elevated Execution with Prompt |
| T1548.005 | Temporary Elevated Cloud Access |
| T1548.006 | TCC Manipulation |
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
When an application requests to access data or a service protected by TCC, the TCC daemon (tccd) checks the TCC database, located at /Library/Application Support/com.apple.TCC/TCC.db (and ~/ equivalent), for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.[1]
Adversaries may manipulate the TCC database or otherwise abuse the TCC service to execute malicious content. This can be done in various ways, including using privileged system applications to execute malicious payloads or manipulating the database to grant their application TCC permissions.
For example, adversaries can use Finder, which has FDA permissions by default, to execute malicious AppleScript while preventing a user prompt. For a system without System Integrity Protection (SIP) enabled, adversaries have also manipulated the operating system to load an adversary controlled TCC database using environment variables and Launchctl.[2][3]
Adversaries may also opt to instead inject code (e.g., Process Injection) into targeted applications with the desired TCC permissions.
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Routinely check applications using Automation under Security & Privacy System Preferences. To reset permissions, user's can utilize the |
| M1026 | Privileged Account Management |
Remove unnecessary users from the local administrator group on systems. |
| M1022 | Restrict File and Directory Permissions |
When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy. |
| M1051 | Update Software |
Routinely update software. Where possible, ensure systems are macOS Sierra+ and SIP is enabled.[1] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may abuse or modify TCC mechanisms designed to control access to elevated privileges. macOS system logs may also indicate when |
| DS0022 | File | File Modification |
Monitor for changes to files associated with TCC settings, such as |
| DS0009 | Process | Process Creation |
Monitor for newly executed processes that may circumvent TCC mechanisms designed to control access to elevated privileges. macOS system logs may also indicate when |