Description
Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
When an application requests to access data or a service protected by TCC, the TCC daemon (tccd) checks the TCC database, located at /Library/Application Support/com.apple.TCC/TCC.db (and ~/ equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through Process Injection or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious AppleScript. When executing under the Finder App, the malicious AppleScript inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and Launchctl.(Citation: TCC macOS bypass)(Citation: TCC Database)
Platforms
Mitigations (3)
Privileged Account ManagementM1026
Remove unnecessary users from the local administrator group on systems.
AuditM1047
Routinely check applications using Automation under Security & Privacy System Preferences. To reset permissions, user's can utilize the tccutil reset command. When using Mobile Device Management (MDM), review the list of enabled or disabled applications in the MDMOverrides.plist which overrides the TCC database.(Citation: TCC macOS bypass)
Restrict File and Directory PermissionsM1022
When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0658 | XCSSET | Malware | For several modules, [XCSSET](https://attack.mitre.org/software/S0658) attempts to access or list the contents of user folders such as Desktop, Downlo... |
References
- Marc-Etienne M.Léveillé. (2022, July 19). I see what you did there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.
- Marina Liang. (2024, April 23). Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.
- Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024.
Frequently Asked Questions
What is T1548.006 (TCC Manipulation)?
T1548.006 is a MITRE ATT&CK technique named 'TCC Manipulation'. It belongs to the Privilege Escalation tactic(s). Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechan...
How can T1548.006 be detected?
Detection of T1548.006 (TCC Manipulation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1548.006?
There are 3 documented mitigations for T1548.006. Key mitigations include: Privileged Account Management, Audit, Restrict File and Directory Permissions.
Which threat groups use T1548.006?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.