Home
ATT&CK Techniques
T1548.006 TCC Manipulation

T1548.006 TCC Manipulation

Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).

When an application requests to access data or a service protected by TCC, the TCC daemon (tccd) checks the TCC database, located at /Library/Application Support/com.apple.TCC/TCC.db (and ~/ equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)

Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through Process Injection or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious AppleScript. When executing under the Finder App, the malicious AppleScript inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and Launchctl.(Citation: TCC macOS bypass)(Citation: TCC Database)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.IR-01.05	Remote access protection	Mitigates	T1548.006	TCC Manipulation	Comments This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. References
PR.AA-05.02	Privileged system access	Mitigates	T1548.006	TCC Manipulation	Comments This diagnostic statement protects against TCC Manipulation through the use of privileged account management and the use of multi-factor authentication. References
DE.CM-06.02	Third-party access monitoring	Mitigates	T1548.006	TCC Manipulation	Comments This diagnostic statement protects against TCC Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. References
DE.CM-03.03	Privileged account monitoring	Mitigates	T1548.006	TCC Manipulation	Comments This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. References
PR.IR-01.06	Production environment segregation	Mitigates	T1548.006	TCC Manipulation	Comments This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1548.006	TCC Manipulation
CM-06	Configuration Settings	mitigates	T1548.006	TCC Manipulation
CM-05	Access Restrictions for Change	mitigates	T1548.006	TCC Manipulation
SI-02	Flaw Remediation	mitigates	T1548.006	TCC Manipulation
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1548.006	TCC Manipulation
CM-08	System Component Inventory	mitigates	T1548.006	TCC Manipulation
SI-10	Information Input Validation	mitigates	T1548.006	TCC Manipulation
SI-03	Malicious Code Protection	mitigates	T1548.006	TCC Manipulation
SI-07	Software, Firmware, and Information Integrity	mitigates	T1548.006	TCC Manipulation
AC-16	Security and Privacy Attributes	mitigates	T1548.006	TCC Manipulation
CM-02	Baseline Configuration	mitigates	T1548.006	TCC Manipulation
CM-07	Least Functionality	mitigates	T1548.006	TCC Manipulation
SI-04	System Monitoring	mitigates	T1548.006	TCC Manipulation
AC-02	Account Management	mitigates	T1548.006	TCC Manipulation
AC-03	Access Enforcement	mitigates	T1548.006	TCC Manipulation
AC-05	Separation of Duties	mitigates	T1548.006	TCC Manipulation
AC-06	Least Privilege	mitigates	T1548.006	TCC Manipulation

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.malware.variety.In-memory	(malware never stored to persistent storage)	related-to	T1548.006	TCC Manipulation
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1548.006	TCC Manipulation
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1548.006	TCC Manipulation

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1548.006	TCC Manipulation	Comments Google Security Operations can alert based on processes like AuthorizationExecuteWithPrivileges. References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']