Loading

TCC Permission Probing Without Prompt Entitlement

Detects applications probing for TCC permissions they cannot prompt for via macOS Unified Logs TCC telemetry. The com.apple.TCC subsystem logs when a service "does not allow prompting" and the access request is automatically denied. This pattern indicates an application is attempting to access a protected resource (such as Accessibility, Full Disk Access, or Screen Capture) for which it has no entitlement to trigger the user consent prompt. Malware may probe TCC services to discover what permissions are available or to attempt access without user interaction. This detection leverages the com.apple.TCC subsystem with category access and does not require private data enablement.

Rule type: esql
Rule indices:

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: macOS
  • Data Source: macOS Unified Logs
  • Data Source: Unified Logs
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Tactic: Discovery

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule detects the "does not allow prompting" TCC pattern, which indicates an application attempted to access a protected service but lacks the entitlement to trigger the user consent dialog. The request is automatically denied. This is distinct from a user-denied request and often indicates unauthorized permission probing.

  • Review the message field to identify which TCC service was probed and the process identity (bundle ID, binary path, PID).
  • Check if the application is known and whether it legitimately requires the probed permission.
  • Look for multiple distinct TCC services being probed by the same process, which may indicate systematic permission enumeration.
  • Correlate with Elastic Defend telemetry to understand how the process was launched and its parent chain.
  • Check if the probing process was recently installed, downloaded, or executed from a suspicious location (e.g., /tmp/, /Users/Shared/).
  • Review other TCC events and Apple Event activity on the same host for related attack chain indicators.
  • Endpoint security agents and IT management tools commonly probe for Accessibility and Full Disk Access permissions on startup.
  • Applications performing feature discovery may check which permissions are available before offering functionality.
  • Development tools and scripts may trigger this pattern during testing.
  • If the probing application is unknown or suspicious, investigate its origin and purpose.
  • Systematic probing across multiple TCC services from a single process is a strong indicator of malicious reconnaissance.
  • Isolate the host if additional indicators of compromise are identified.
FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND unified_log.subsystem == "com.apple.TCC"
  AND unified_log.category == "access"
  AND message LIKE "*does not allow prompting*"
| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, message

Framework: MITRE ATT&CK