Potential Privacy Control Bypass via TCCDB Modification

  1[metadata]
  2creation_date = "2020/12/23"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may
 11indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera,
 12microphone, address book, and calendar.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Privacy Control Bypass via TCCDB Modification"
 19references = [
 20    "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
 21    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
 22    "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8",
 23]
 24risk_score = 47
 25rule_id = "eea82229-b002-470e-a9e1-00be38b14d32"
 26setup = """## Setup
 27
 28This rule requires data coming in from Elastic Defend.
 29
 30### Elastic Defend Integration Setup
 31Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 32
 33#### Prerequisite Requirements:
 34- Fleet is required for Elastic Defend.
 35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 36
 37#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 38- Go to the Kibana home page and click "Add integrations".
 39- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 40- Click "Add Elastic Defend".
 41- Configure the integration name and optionally add a description.
 42- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 43- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 44- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 45- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 46For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 47- Click "Save and Continue".
 48- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 49For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 50"""
 51severity = "medium"
 52tags = [
 53    "Domain: Endpoint",
 54    "OS: macOS",
 55    "Use Case: Threat Detection",
 56    "Tactic: Defense Evasion",
 57    "Data Source: Elastic Defend",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "eql"
 62
 63query = '''
 64process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and
 65 process.args : "/*/Application Support/com.apple.TCC/TCC.db" and
 66 not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*"
 67'''
 68note = """## Triage and analysis
 69
 70> **Disclaimer**:
 71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 72
 73### Investigating Potential Privacy Control Bypass via TCCDB Modification
 74
 75The Transparency, Consent, and Control (TCC) database in macOS manages app permissions for accessing sensitive resources. Adversaries may exploit this by using tools like sqlite3 to alter the TCC database, bypassing privacy controls. The detection rule identifies such attempts by monitoring for suspicious sqlite3 activity targeting the TCC database, excluding legitimate processes, to flag potential privacy control bypasses.
 76
 77### Possible investigation steps
 78
 79- Review the process details to confirm the use of sqlite3, focusing on the process name and arguments to ensure they match the pattern "sqlite*" and include the path "/*/Application Support/com.apple.TCC/TCC.db".
 80- Investigate the parent process of the sqlite3 activity to determine if it is a known legitimate process or if it appears suspicious, especially if it is not from "/Library/Bitdefender/AVP/product/bin/*".
 81- Check the timestamp of the sqlite3 activity to correlate it with any other unusual system behavior or alerts that occurred around the same time.
 82- Examine the user account associated with the process to determine if it has a history of legitimate administrative actions or if it might be compromised.
 83- Look for any recent changes or anomalies in the TCC database permissions that could indicate unauthorized modifications.
 84- Assess the system for other signs of compromise, such as unexpected network connections or additional unauthorized processes running, to determine if the sqlite3 activity is part of a larger attack.
 85
 86### False positive analysis
 87
 88- Security software like Bitdefender may legitimately access the TCC database for scanning purposes. To prevent these from being flagged, ensure that the process parent executable path for such software is added to the exclusion list.
 89- System maintenance tools that perform regular checks or backups might access the TCC database. Identify these tools and add their process paths to the exclusion list to avoid false alerts.
 90- Developer tools used for testing applications may interact with the TCC database. If these tools are frequently used in your environment, consider excluding their process paths to reduce noise.
 91- Administrative scripts that automate system configurations might modify the TCC database. Review these scripts and, if deemed safe, exclude their process paths from the detection rule.
 92- Regular system updates or patches could trigger access to the TCC database. Monitor these events and, if consistent with update schedules, adjust the rule to exclude these specific update processes.
 93
 94### Response and remediation
 95
 96- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
 97- Terminate any suspicious sqlite3 processes identified in the alert to stop ongoing unauthorized modifications to the TCC database.
 98- Restore the TCC database from a known good backup to ensure that all privacy settings are reverted to their legitimate state.
 99- Conduct a thorough review of recent changes to the TCC database to identify any unauthorized access or modifications to sensitive resources.
100- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
101- Implement additional monitoring on the affected system to detect any further attempts to modify the TCC database or other unauthorized activities.
102- Review and update access controls and permissions for the TCC database to ensure only authorized processes can make changes, reducing the risk of future bypass attempts."""
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1562"
109name = "Impair Defenses"
110reference = "https://attack.mitre.org/techniques/T1562/"
111[[rule.threat.technique.subtechnique]]
112id = "T1562.001"
113name = "Disable or Modify Tools"
114reference = "https://attack.mitre.org/techniques/T1562/001/"
115
116
117
118[rule.threat.tactic]
119id = "TA0005"
120name = "Defense Evasion"
121reference = "https://attack.mitre.org/tactics/TA0005/"