Suspicious TCC Access Granted for User Folders

Status: production
Severity: high
Time window: 9m
Group by: Effective_process.entity_id, Effective_process.executable, host.name, user.name
Author: Elastic
Source: github.com/elastic/detection-rules

Detects when TCC access is granted for multiple user folders like Desktop, Downloads and Documents in quick succession. Many information stealers require TCC permissions to access these locations and will prompt users to grant access for data exfiltration.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1548.006` Abuse Elevation Control Mechanism: TCC Manipulation
Collection	`T1005` Data from Local System

Rule body elastic

[metadata]
creation_date = "2026/01/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Elastic"]
description = """
Detects when TCC access is granted for multiple user folders like Desktop, Downloads and Documents 
in quick succession. Many information stealers require TCC permissions to access these locations and 
will prompt users to grant access for data exfiltration.
"""
from = "now-9m"
language = "esql"
license = "Elastic License v2"
name = "Suspicious TCC Access Granted for User Folders"
risk_score = 73
rule_id = "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3"
severity = "high"
tags = [
    "Domain: Endpoint",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Tactic: Collection",
    "Data Source: Elastic Defend",
    "Resources: Investigation Guide"
]
type = "esql"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Suspicious TCC Access Granted for User Folders

The Transparency, Consent, and Control (TCC) framework is macOS's privacy protection mechanism that controls application access to sensitive resources like the Desktop, Documents, and Downloads folders. Threat actors may manipulate the TCC database to grant unauthorized access to these protected locations, enabling data theft without triggering user consent prompts. This detection rule identifies when scripting interpreters or command-line tools create multiple TCC permission grants in rapid succession, indicating potential automated TCC manipulation.

### Possible investigation steps

- Review the Effective_process.name and Effective_process.executable fields to identify which process is creating TCC permission grants and assess whether this is expected behavior.
- Examine the Tcc.service values to understand which protected folders (Desktop, Documents, Downloads) were granted access and evaluate the sensitivity of data in those locations.
- Investigate the Effective_process.parent.executable and command_line to trace how the TCC-modifying process was launched and identify the initial execution vector.
- Review the timing and count of TCC grants to determine if this is an automated batch operation characteristic of malicious activity.
- Check the TCC.db database directly using sqlite3 to review all permission grants and identify any unauthorized entries.
- Correlate with file access events to determine if the granted permissions were subsequently used to access sensitive data.
- Review the user.name associated with the activity and verify whether they would have legitimate reasons to grant these permissions.

### False positive analysis

- Legitimate applications during first launch or installation may request TCC access, but typically through standard user prompts rather than direct database modification. Verify if application installation was expected.
- Enterprise MDM solutions may configure TCC permissions during device setup or policy enforcement. Confirm with IT operations if MDM deployments were scheduled.
- Automation and scripting workflows may require TCC access for legitimate file operations. Review with the script owner to confirm legitimacy.
- System administration tasks may involve TCC manipulation for specific operational requirements. Verify with IT staff before dismissing.

### Response and remediation

- Immediately revoke the unauthorized TCC access grants by removing the malicious entries from the TCC.db database or resetting TCC permissions for the affected application.
- Terminate the suspicious process that created the TCC grants and prevent it from restarting.
- Isolate the affected macOS system to prevent potential data exfiltration using the newly granted permissions.
- Conduct a forensic review of file access events to determine if sensitive data was accessed using the unauthorized TCC permissions.
- Scan the system for additional malware, persistence mechanisms, or indicators of compromise.
- Reset TCC permissions to their default state using tccutil reset or by deleting and recreating the TCC.db database.
- Review other systems in the environment for similar TCC manipulation activity.
- Escalate to the incident response team for comprehensive investigation if data theft is suspected.
"""
query = '''
FROM logs-endpoint.events.*
| WHERE host.os.type == "macos" 
    AND event.action == "tcc_modify" 
    AND Tcc.right == "allowed"
    AND Tcc.update_type == "create"
    AND Tcc.service IN ("SystemPolicyDocumentsFolder", "SystemPolicyDownloadsFolder", "SystemPolicyDesktopFolder")
    AND Effective_process.name RLIKE "(bash|zsh|sh|osascript|python.*|perl.*|ruby.*|node|Terminal|iTerm2|ghostty)"
| STATS 
    Esql.grant_count = COUNT(*),
    Esql.unique_folders = COUNT_DISTINCT(Tcc.service),  
    Esql.folders = VALUES(Tcc.service)
  BY Effective_process.entity_id, Effective_process.executable, host.name, user.name
| WHERE Esql.unique_folders >= 2
| KEEP Esql.*, Effective_process.entity_id, Effective_process.executable, host.name, user.name
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.006"
name = "TCC Manipulation"
reference = "https://attack.mitre.org/techniques/T1548/006/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1005"
name = "Data from Local System"
reference = "https://attack.mitre.org/techniques/T1005/"

[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.006"
name = "TCC Manipulation"
reference = "https://attack.mitre.org/techniques/T1548/006/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

Stages and Predicates

Stage 1: `from`

FROM logs-endpoint.events.*

Stage 2: `where`

| WHERE host.os.type == "macos" 
    AND event.action == "tcc_modify" 
    AND Tcc.right == "allowed"
    AND Tcc.update_type == "create"
    AND Tcc.service IN ("SystemPolicyDocumentsFolder", "SystemPolicyDownloadsFolder", "SystemPolicyDesktopFolder")
    AND Effective_process.name RLIKE "(bash|zsh|sh|osascript|python.*|perl.*|ruby.*|node|Terminal|iTerm2|ghostty)"

Stage 3: `stats`

| STATS 
    Esql.grant_count = COUNT(*),
    Esql.unique_folders = COUNT_DISTINCT(Tcc.service),  
    Esql.folders = VALUES(Tcc.service)
  BY Effective_process.entity_id, Effective_process.executable, host.name, user.name

Stage 4: `where`

| WHERE Esql.unique_folders >= 2

Stage 5: `keep`

| KEEP Esql.*, Effective_process.entity_id, Effective_process.executable, host.name, user.name

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Effective_process.name`	regex_match	`(bash\|zsh\|sh\|osascript\|python.\|perl.\|ruby.*\|node\|Terminal\|iTerm2\|ghostty)`
`Esql.unique_folders`	ge	`2`
`Tcc.right`	eq	`allowed`
`Tcc.service`	in	`SystemPolicyDesktopFolder` `SystemPolicyDocumentsFolder` `SystemPolicyDownloadsFolder`
`Tcc.update_type`	eq	`create`
`event.action`	eq	`tcc_modify`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`Esql.*`	`KEEP Esql.*`
`Effective_process.entity_id`	`KEEP Effective_process.entity_id`
`Effective_process.executable`	`KEEP Effective_process.executable`
`host.name`	`KEEP host.name`
`user.name`	`KEEP user.name`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Suspicious TCC Access Granted for User Folders

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: `from`

Stage 2: `where`

Stage 3: `stats`

Stage 4: `where`

Stage 5: `keep`

Indicators

Output fields

Keyboard shortcuts

Search operators

Suspicious TCC Access Granted for User Folders

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: from

Stage 2: where

Stage 3: stats

Stage 4: where

Stage 5: keep

Indicators

Output fields

Stage 1: `from`

Stage 2: `where`

Stage 3: `stats`

Stage 4: `where`

Stage 5: `keep`