Full Disk Access Permission Check

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects suspicious access to the /Library/Preferences/com.apple.TimeMachine.plist file, indicating a potential 
 11attempt to verify or exploit Full Disk Access (FDA) permissions. This file is often checked by malware to 
 12confirm FDA privileges, which allow unrestricted access to sensitive user data.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.file-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Full Disk Access Permission Check"
 19note = """ ## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Full Disk Access Permission Check
 25
 26This rule detects suspicious reads of the Time Machine preferences plist that adversaries use as a quick litmus test for Full Disk Access, a permission that unlocks broad visibility into user and system data. Attackers commonly launch a scriptable or unsigned helper (for example via Python or AppleScript) to open this file, confirm FDA is present, then proceed to enumerate and collect protected artifacts like browser stores, messages, or backups.
 27
 28### Possible investigation steps
 29
 30- Validate the opening process lineage (parent/child chain, launch method, user session) to determine whether the access originated from an interactive admin action or an unexpected background helper.  
 31- Review the process code-signing identity (signer, notarization, team ID) and binary provenance (download attributes, install source, first-seen time) to distinguish legitimate tooling from potentially dropped or trojanized executables.  
 32- Pivot to other file and directory access by the same process around the alert time to identify follow-on discovery/collection of protected user data (e.g., browser profiles, keychain-related paths, Messages, Mail, backups).  
 33- Check recent and concurrent macOS privacy permission changes and TCC/FDA-related events for the user and process to see if FDA was newly granted, prompted, or bypassed preceding the access.  
 34- Correlate with network activity from the same process or host after the check (new outbound connections, uploads, DNS to uncommon domains) to assess whether the FDA verification preceded staging or exfiltration.
 35
 36### False positive analysis
 37
 38- An administrator or power user running an interactive shell (Terminal, bash/sh, python) executes a local audit or troubleshooting script that reads /Library/Preferences/com.apple.TimeMachine.plist to confirm Time Machine configuration and permissions.  
 39- A developer or IT engineer uses a scripting runtime (osascript, node, ruby, perl, python) during endpoint diagnostics to check whether the current session/app context has Full Disk Access by attempting to open the Time Machine preference plist.
 40
 41### Response and remediation
 42
 43- Isolate the Mac from the network or apply host firewall blocks if the plist access comes from an unexpected/unsigned process or occurs outside an active user session to prevent follow-on collection and exfiltration.  
 44- Terminate the offending process and remove its persistence (LaunchAgents/LaunchDaemons, cron, login items) and any newly dropped executables or scripts found in user-writable paths that launched the plist check.  
 45- Revoke Full Disk Access for the suspicious app in Privacy & Security settings, reset TCC permissions if tampering is suspected, and rotate credentials/tokens exposed on the host (browser sessions, SSH keys, API keys) if protected data access is likely.  
 46- Collect and preserve evidence (the binary and its hash, quarantine/xattr info, parent process, relevant unified logs, and a copy of the accessed plist) before cleanup, then run a full endpoint malware scan and validate no additional sensitive files were accessed immediately after the check.  
 47- Restore system integrity by updating macOS and security tools, reinstalling or re-imaging if core components were modified, and confirm normal Time Machine configuration after remediation to ensure operational recovery.  
 48- Escalate to IR/SECOPS immediately if the process is unsigned/notarization-missing, shows persistence, or makes outbound connections after the plist read, and harden by enforcing MDM controls that restrict FDA grants and block execution of untrusted scripting runtimes where feasible.
 49"""
 50risk_score = 47
 51rule_id = "e26c0f76-2e80-445b-9e98-ab5532ccc46f"
 52severity = "medium"
 53tags = [
 54    "Domain: Endpoint",
 55    "OS: macOS",
 56    "Use Case: Threat Detection",
 57    "Tactic: Discovery",
 58    "Data Source: Elastic Defend",
 59    "Resources: Investigation Guide",
 60]
 61timestamp_override = "event.ingested"
 62type = "eql"
 63query = '''
 64file where host.os.type == "macos" and event.action == "open" and
 65  file.path == "/Library/Preferences/com.apple.TimeMachine.plist" and
 66  (process.name in ("osascript", "perl", "node", "ruby", "bash", "sh", "Terminal") or
 67   process.name like "python*" or
 68   process.code_signature.trusted == false or
 69   process.code_signature.exists == false)
 70'''
 71
 72[[rule.threat]]
 73framework = "MITRE ATT&CK"
 74
 75  [rule.threat.tactic]
 76  name = "Discovery"
 77  id = "TA0007"
 78  reference = "https://attack.mitre.org/tactics/TA0007/"
 79
 80  [[rule.threat.technique]]
 81  name = "File and Directory Discovery"
 82  id = "T1083"
 83  reference = "https://attack.mitre.org/techniques/T1083/"
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87
 88  [rule.threat.tactic]
 89  name = "Defense Evasion"
 90  id = "TA0005"
 91  reference = "https://attack.mitre.org/tactics/TA0005/"
 92
 93  [[rule.threat.technique]]
 94  name = "Abuse Elevation Control Mechanism"
 95  id = "T1548"
 96  reference = "https://attack.mitre.org/techniques/T1548/"
 97
 98    [[rule.threat.technique.subtechnique]]
 99    name = "TCC Manipulation"
100    id = "T1548.006"
101    reference = "https://attack.mitre.org/techniques/T1548/006/"