detection.wiki

Abuse Elevation Control Mechanism: TCC Manipulation T1548.006

Tactic: Privilege Escalation

Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).

Events covered

1 catalog event is tagged with this technique by at least one rule.

ProviderEventTitle
ESFopenFile Open (NOTIFY)

Authoring guide

Patterns shared across the 3 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (16 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
host.os.type3eq 3
EventType2eq 2open, tcc_modify
process_name2starts_with 2, in 1bash, node, osascript, sqlite
Effective_process.name1regex_match 1(bash|zsh|sh|osascript|python.*|perl.*|ruby.*|node|Termin...
Esql.unique_folders1ge 12
TargetFilename1eq 1/library/preferences/com.apple.timemachine.plist
Tcc.right1eq 1allowed
Tcc.service1in 1SystemPolicyDesktopFolder, SystemPolicyDocumentsFolder, SystemPolicyDownloadsFolder
Tcc.update_type1eq 1create
event.type1in 1process_started, start
parent_process_name1wildcard 1Python*, Terminal, bash
process.args1wildcard 1/*/Application Support/com.apple.TCC/TCC.db
process.code_signature.exists1eq 1false
process.code_signature.trusted1eq 1false
process.parent.code_signature.exists1eq 1false

Top indicator values (32 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Effective_process.nameregex_match
(bash|zsh|sh|osascript|python.*|perl.*|ruby.*|node|Terminal|iTerm2|ghostty)
1
Esql.unique_foldersge
2
1
EventTypeeq
open
115
EventTypeeq
tcc_modify
12
TargetFilenameeq
/library/preferences/com.apple.timemachine.plist
1
Tcc.righteq
allowed
1
Tcc.servicein
SystemPolicyDesktopFolder
1
Tcc.servicein
SystemPolicyDocumentsFolder
1
Tcc.servicein
SystemPolicyDownloadsFolder
1
Tcc.update_typeeq
create
1
event.typein
process_started
140
event.typein
start
142
parent_process_namewildcard
Python*
13
parent_process_namewildcard
Terminal
13
parent_process_namewildcard
bash
17
parent_process_namewildcard
osascript
16
parent_process_namewildcard
sh
17
parent_process_namewildcard
zsh
17
process.argswildcard
/*/Application Support/com.apple.TCC/TCC.db
1
process.code_signature.existseq
false
119
process.code_signature.trustedeq
false
118
process.parent.code_signature.existseq
false
19
process.parent.code_signature.trustedeq
false
110
process_namein
bash
188
process_namein
node
111
process_namein
osascript
14
process_namein
perl
15
process_namein
ruby
14
process_namein
sh
183
process_namein
terminal
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Elastic 3 rules