[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

Abuse Elevation Control Mechanism: TCC Manipulation

Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).

When an application requests to access data or a service protected by TCC, the TCC daemon (tccd) checks the TCC database, located at /Library/Application Support/com.apple.TCC/TCC.db (and ~/ equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.[1]

Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through Process Injection or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious AppleScript. When executing under the Finder App, the malicious AppleScript inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and Launchctl.[2][3]

ID: T1548.006
Sub-technique of:  T1548
Platforms: macOS
Contributors: Csaba Fitzl @theevilbit of Kandji; Marina Liang; Wojciech Reguła @_r3ggi
Version: 1.1
Created: 21 March 2024
Last Modified: 16 October 2024

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check applications using Automation under Security & Privacy System Preferences. To reset permissions, user's can utilize the tccutil reset command. When using Mobile Device Management (MDM), review the list of enabled or disabled applications in the MDMOverrides.plist which overrides the TCC database.[2]

M1026 Privileged Account Management

Remove unnecessary users from the local administrator group on systems.

M1022 Restrict File and Directory Permissions

When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may abuse or modify TCC mechanisms designed to control access to elevated privileges. macOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.

DS0022 File File Modification

Monitor for changes to files associated with TCC settings, such as /Library/Application Support/com.apple.TCC/TCC.db and the overwrites file.

DS0009 Process Process Creation

Monitor for abnormal processes executing under applications with elevated access.

References