Suspicious TCC Access Granted for User Folders

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when TCC access is granted for multiple user folders like Desktop, Downloads and Documents 
 11in quick succession. Many information stealers require TCC permissions to access these locations and 
 12will prompt users to grant access for data exfiltration.
 13"""
 14from = "now-9m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "Suspicious TCC Access Granted for User Folders"
 18risk_score = 73
 19rule_id = "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3"
 20severity = "high"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: macOS",
 24    "Use Case: Threat Detection",
 25    "Tactic: Defense Evasion",
 26    "Tactic: Collection",
 27    "Data Source: Elastic Defend",
 28    "Resources: Investigation Guide"
 29]
 30type = "esql"
 31note = """## Triage and analysis
 32
 33> **Disclaimer**:
 34> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 35
 36### Investigating Suspicious TCC Access Granted for User Folders
 37
 38The Transparency, Consent, and Control (TCC) framework is macOS's privacy protection mechanism that controls application access to sensitive resources like the Desktop, Documents, and Downloads folders. Threat actors may manipulate the TCC database to grant unauthorized access to these protected locations, enabling data theft without triggering user consent prompts. This detection rule identifies when scripting interpreters or command-line tools create multiple TCC permission grants in rapid succession, indicating potential automated TCC manipulation.
 39
 40### Possible investigation steps
 41
 42- Review the Effective_process.name and Effective_process.executable fields to identify which process is creating TCC permission grants and assess whether this is expected behavior.
 43- Examine the Tcc.service values to understand which protected folders (Desktop, Documents, Downloads) were granted access and evaluate the sensitivity of data in those locations.
 44- Investigate the Effective_process.parent.executable and command_line to trace how the TCC-modifying process was launched and identify the initial execution vector.
 45- Review the timing and count of TCC grants to determine if this is an automated batch operation characteristic of malicious activity.
 46- Check the TCC.db database directly using sqlite3 to review all permission grants and identify any unauthorized entries.
 47- Correlate with file access events to determine if the granted permissions were subsequently used to access sensitive data.
 48- Review the user.name associated with the activity and verify whether they would have legitimate reasons to grant these permissions.
 49
 50### False positive analysis
 51
 52- Legitimate applications during first launch or installation may request TCC access, but typically through standard user prompts rather than direct database modification. Verify if application installation was expected.
 53- Enterprise MDM solutions may configure TCC permissions during device setup or policy enforcement. Confirm with IT operations if MDM deployments were scheduled.
 54- Automation and scripting workflows may require TCC access for legitimate file operations. Review with the script owner to confirm legitimacy.
 55- System administration tasks may involve TCC manipulation for specific operational requirements. Verify with IT staff before dismissing.
 56
 57### Response and remediation
 58
 59- Immediately revoke the unauthorized TCC access grants by removing the malicious entries from the TCC.db database or resetting TCC permissions for the affected application.
 60- Terminate the suspicious process that created the TCC grants and prevent it from restarting.
 61- Isolate the affected macOS system to prevent potential data exfiltration using the newly granted permissions.
 62- Conduct a forensic review of file access events to determine if sensitive data was accessed using the unauthorized TCC permissions.
 63- Scan the system for additional malware, persistence mechanisms, or indicators of compromise.
 64- Reset TCC permissions to their default state using tccutil reset or by deleting and recreating the TCC.db database.
 65- Review other systems in the environment for similar TCC manipulation activity.
 66- Escalate to the incident response team for comprehensive investigation if data theft is suspected.
 67"""
 68query = '''
 69FROM logs-endpoint.events.*
 70| WHERE host.os.type == "macos" 
 71    AND event.action == "tcc_modify" 
 72    AND Tcc.right == "allowed"
 73    AND Tcc.update_type == "create"
 74    AND Tcc.service IN ("SystemPolicyDocumentsFolder", "SystemPolicyDownloadsFolder", "SystemPolicyDesktopFolder")
 75    AND Effective_process.name RLIKE "(bash|zsh|sh|osascript|python.*|perl.*|ruby.*|node|Terminal|iTerm2|ghostty)"
 76| STATS 
 77    Esql.grant_count = COUNT(*),
 78    Esql.unique_folders = COUNT_DISTINCT(Tcc.service),  
 79    Esql.folders = VALUES(Tcc.service)
 80  BY Effective_process.entity_id, Effective_process.executable, host.name, user.name
 81| WHERE Esql.unique_folders >= 2
 82| KEEP Esql.*, Effective_process.entity_id, Effective_process.executable, host.name, user.name
 83'''
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87
 88  [rule.threat.tactic]
 89  name = "Defense Evasion"
 90  id = "TA0005"
 91  reference = "https://attack.mitre.org/tactics/TA0005/"
 92
 93  [[rule.threat.technique]]
 94  name = "Abuse Elevation Control Mechanism"
 95  id = "T1548"
 96  reference = "https://attack.mitre.org/techniques/T1548/"
 97
 98    [[rule.threat.technique.subtechnique]]
 99    name = "TCC Manipulation"
100    id = "T1548.006"
101    reference = "https://attack.mitre.org/techniques/T1548/006/"
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106  [rule.threat.tactic]
107  name = "Collection"
108  id = "TA0009"
109  reference = "https://attack.mitre.org/tactics/TA0009/"
110
111  [[rule.threat.technique]]
112  name = "Data from Local System"
113  id = "T1005"
114  reference = "https://attack.mitre.org/techniques/T1005/"