Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
When an application requests to access data or a service protected by TCC, the TCC daemon (tccd) checks the TCC database, located at /Library/Application Support/com.apple.TCC/TCC.db (and ~/ equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through Process Injection or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious AppleScript. When executing under the Finder App, the malicious AppleScript inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and Launchctl.(Citation: TCC macOS bypass)(Citation: TCC Database)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement protects against TCC Manipulation through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement protects against TCC Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1548.006 | TCC Manipulation | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1548.006 | TCC Manipulation | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1548.006 | TCC Manipulation |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1548.006 | TCC Manipulation |
Comments
Google Security Operations can alert based on processes like AuthorizationExecuteWithPrivileges.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EID-CAE-E3 | Continuous Access Evaluation | Technique Scores | T1548.006 | TCC Manipulation |
Comments
Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:
User Account is deleted or disabled
Password for a user is changed or reset
Multifactor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Microsoft Entra ID Protection
License Requirements:
Continuous access evaluation will be included in all versions of Microsoft 365.
References
|
| PUR-AUS-E5 | Audit Solutions | Technique Scores | T1548.006 | TCC Manipulation |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Temporary Elevated Cloud Access attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.
License Requirements:
Microsoft 365 E3 and E5
References
|