Loading

TCC Privacy Permission Change Detected

Detects a TCC permission change event via macOS Unified Logs TCC telemetry. The com.apple.TCC subsystem logs publishAccessChangedEvent when a TCC permission is granted, revoked, or modified for an application. While permission changes are a normal part of macOS administration, unexpected or unauthorized changes may indicate an attacker tampering with TCC protections to gain access to sensitive resources such as Full Disk Access, Screen Capture, Camera, Microphone, or Accessibility. TCC database manipulation is a known technique used by macOS malware to bypass privacy protections. This detection leverages the com.apple.TCC subsystem and does not require private data enablement.

Rule type: esql
Rule indices:

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: macOS
  • Data Source: macOS Unified Logs
  • Data Source: Unified Logs
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Tactic: Defense Evasion

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule detects publishAccessChangedEvent in TCC logs, which fires when a TCC permission entry is created, modified, or removed. This includes both user-initiated changes (via System Settings) and programmatic modifications (via tccutil, direct TCC.db manipulation, or MDM profiles).

  • Review the message field to determine which TCC service permission was changed and for which application.
  • Check if the change was user-initiated by correlating with System Settings or MDM activity.
  • Look for tccutil reset or direct TCC.db file access events that may indicate programmatic permission manipulation.
  • Check if the permission change grants access to sensitive services (Full Disk Access, Accessibility, Screen Capture) for an unexpected application.
  • Correlate with process execution logs to determine if any suspicious process triggered the permission change.
  • Review the host for signs of TCC.db manipulation (e.g., SIP bypass, direct database writes, fake TCC.db attacks).
  • User-initiated permission changes via System Settings are normal administrative activity.
  • MDM-managed devices commonly have permissions pushed via configuration profiles, which generate these events.
  • Application installers may request and receive permissions during setup.
  • macOS updates may reset or modify TCC permissions.
  • If the permission change is unauthorized, immediately review what access was granted and to which application.
  • Revoke any suspicious permissions via System Settings or tccutil reset.
  • Investigate the source of the change — if TCC.db was directly modified, this may indicate SIP bypass or privilege escalation.
  • Check for persistence mechanisms associated with the application that received the permission change.
FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND unified_log.subsystem == "com.apple.TCC"
  AND message LIKE "*publishAccessChangedEvent*"
| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, message

Framework: MITRE ATT&CK