{ "id": "d45b22ef-a376-434f-9ec8-4db1716b7892", "created_at": "2026-04-29T02:21:38.284487Z", "updated_at": "2026-04-29T08:22:12.683018Z", "deleted_at": null, "sha1_hash": "8b7379363ff30208137df63589f03fe755886953", "title": "Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation - Interpres Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 522755, "plain_text": "Return of the mac(OS): Transparency, Consent, and Control\r\n(TCC) Database Manipulation - Interpres Security\r\nArchived: 2026-04-29 02:07:22 UTC\r\nSummary\r\nDiscover insights into prominent malware campaigns, their connections to Democratic People’s Republic of\r\nKorea (DPRK) adversary behaviors and gain valuable insights on threat hunting queries. This report will equip\r\ndefenders with essential recommendations to safeguard against TCC.db abuse and stay ahead in the ever-changing\r\ncybersecurity landscape.\r\nPreface\r\nHistorically, Windows has had a stronghold on the desktop market, and hence, security vendors focused their\r\ndetection and prevention efforts primarily on Windows-based threats. However, over the years, corporations are\r\nincreasingly leveraging MacBook laptops, and current trends indicate Apple is gaining market share, averaging\r\n1% a year over the past 14 years (from 3% to 16.5%).\r\nSource: Statcounter, accessed January 26, 2024\r\nWith macOS increasing in market presence, and in turn, eCrime and nation-state adversaries such as the\r\nDemocratic People’s Republic of Korea (DPRK)-attributed Lazarus pivoting to macOS, awareness of current and\r\nemerging macOS techniques is crucial to ensuring holistic prevention. This report will dive into some recently\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 1 of 15\n\nobserved bypasses and tactics on macOS, how they are leveraged by adversaries and malware campaigns, with a\r\nbehind-the-scenes look into my research and threat hunting, starting with the TCC database. Lastly, it will\r\nconclude with best practices and how defenders can detect or defend against these TTPs.\r\nPrimer on the TCC Database\r\nI referenced the TCC database in my MITRE ATT\u0026CKCon; talk in 2023, so feel free to check that out.\r\nFor a deeper dive into the TCC framework, refer to Phil Stokes’ writeup. For those of us new to macOS internals,\r\nhere is an abridged version: The TCC framework is responsible for user security and privacy controls on Apple\r\ndevices. There are two TCC databases on Apple devices, one at the system level: /Library/Application\r\nSupport/com.apple.TCC/TCC.db, and one at the user level: $HOME/Library/Application\r\nSupport/com.apple.TCC/TCC.db. The system level TCC database is protected by System Integrity Protection\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 2 of 15\n\n(SIP), so it cannot be written to unless SIP is bypassed or disabled. The user level database can only be written to\r\nby a privileged process with proper entitlements, such as Full Disk Access (FDA).\r\nUser prompt to allow or deny an application access to a specific TCC protected item.\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 3 of 15\n\nmacOS Privacy \u0026 Security Objects\r\nIf you have a keen eye, you’ll notice that TCC does not  protect all folders and data on macOS -this will be\r\nimportant in later discussions.\r\nTccd is the dedicated for TCC; it exists for each logged-in user and system. This daemon is idle until it receives a\r\nrequest for an app to access TCC-protected data. The workflow is as follows:\r\nmacOS TCCD Workflow\r\nmacOS Tccd Workflow\r\nHistorical Bypasses and Limitations of TCC\r\nWriting to TCC.db\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 4 of 15\n\nThe TCC framework on the surface seems like a win for security practitioners, but historically there have been\r\nmany issues. I won’t dive into all the bypasses, but if you are interested, I will list references at the bottom of this\r\nblog post for additional reading.\r\nIn earlier implementations, a malicious actor could directly write to TCC.db to give themselves permissions\r\nwithout prompting the user. If an app could write to TCC.db using sqlite3 INSERT commands, it can give itself all\r\nthe relevant TCC entitlements. Thankfully, Apple addressed this issue with the implementation of System Integrity\r\nProtection (SIP) in macOS Sierra+. SIP was introduced as a security feature to prevent malicious files from\r\nmodifying protected files.\r\nIn CVE-2020–9934, an actor could supply their own TCC.db. The gist of the bypass is as follows: an app cannot\r\nmodify the database unless it has the entitlements: Com.apple.private.tcc.manager and\r\ncom.apple.rootless.storage.TCC. If an actor finds a program with correct entitlements, they could control the\r\nTCC.db and use the tccd daemon to open an attacker-supplied TCC.db. Apple thankfully patched this Jul 15,\r\n2020, in Security-Update 2020-004.\r\nSimilarly, in CVE-2020-27937, an actor can gain control of TCC by modifying the NFSHomeDirectory entry\r\nunder the Directory Utility app. For context, the TCC daemon retrieves user information via opendirectoryd,  and\r\nthe corresponding directory utility, located at /System/Library/CoreServices/Applications/Directory Utility.app has\r\nthe TCC entitlement (kTCCServiceSystemPolicySysAdminFiles) to allow it to modify the opendirectory files in\r\n/var/db/dslocal/nodes.\r\nTherefore, a malicious actor could do the following to bypass the user TCC:\r\n1\r\nCopy the Directory Utility to a directory not protected by SIP.\r\n2\r\nInject a malicious plugin (Mach-O bundle with a .daplug extension) to be executed with the Directory Utility’s\r\nprivate TCC entitlements.\r\n3\r\nPrepare a fake TCC SQLite3 database with desired permissions.\r\n4\r\nModify the NFSHomeDirectory to point to the fake TCC database.\r\n5\r\nRestart TCCd, and it will load the fake database based on the NFSHomeDirectory.\r\n6\r\nProfit!\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 5 of 15\n\nWhat does TCC Protect?\r\nAs alluded to earlier, the TCC.db protects accessing specific folders, such as the Desktop and Documents.\r\nHowever, that does not prevent a user or unprivileged process from writing files to TCC “protected” areas and\r\ndoes not stop those files from being read. Therefore, malware authors could use these TCC protected areas as\r\nstaging directories for their malware or secondary payloads.\r\nuser@macOShost ~ % ls Documents ls: Documents: Operation not permitted user@macOShost~ % echo\r\nmalicious code here\u003e Documents/nothing_to_see_here user@macOShost ~ % ls Documents ls: Documents:\r\nOperation not permitted user@macOShost ~ % cat Documents/nothing_to_see_here malicious code here\r\nAreas TCC does NOT protect:\r\nWe talked about areas TCC does protect, though incomplete in implementation. I would be remiss if I did not\r\nbriefly mention some sensitive directories on macOS that are not protected by TCC, such as:\r\n$HOME/.ssh, $HOME/.aws, and /tmp, just to name a few.\r\nThese directories contain sensitive keys or can be used for staging, exfiltration, etc.\r\nProblems with Full Disk Access (FDA)\r\nOne of the items encompassed by TCC is full disk access. If you are an admin, and you can grant yourself FDA,\r\nyou will inherently grant ALL users (even non-admins!) the ability to read all other users’ data on disk, including\r\nyour own.\r\nMounting Issues\r\nIn CVE-2020-9771 a disk can be mounted and read by non-admin users. Apple “patched” this issue in macOS\r\nCatalina 10.15.4 in 2019 and in macOS Mojave in 2018, but the fix is tied to restricting Full Disk Access (FDA)\r\npermissions (kTCCServiceSystemPolicyAllFiles) for Terminal. However, the challenge in this “fix” is that in\r\nmany environments, Terminal may have FDA enabled for legitimate reasons, and many apps, including IT and\r\nsecurity software agents, may leverage scripting (Terminal) and require full disk access (FDA) to properly\r\nfunction and protect the endpoint.\r\nAdditionally, an actor could mount over ~/Library/Application Support/com.apple.TCC with their fake TCC.db by\r\npreparing a new TCC.db file. Because TCC privacy is not enforced on mounted local snapshots – this allows an\r\nactor to mount and access any file inside. Additionally, initiating and listing APFS snapshots is available for all\r\nusers, so anyone can mount local apfs snapshots if using “noowners” flag.\r\nmount_apfs –o noowners –s com.apple.-TimeMachine.2023-12-29-1 23456.local /Systems/Volumes/Data\r\n/tmp/snap\r\nOne Finder to Rule Them All\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 6 of 15\n\nThere is also an existing reflexive or chained “privilege escalation” via Finder. Finder, unbeknownst to the user,\r\nhas access to FDA by default. If you are a keen investigator, you may notice that Finder is also not listed in your\r\nSecurity \u0026 Privacy permissions – it is transparent to the user. Also, if you grant Terminal access to Finder once, it\r\nis persistently granted. The user or admin would have to be aware of Finder’s access and manually revoke\r\npermission. Therefore, an actor could procure Terminal control the Finder to secure FDA.\r\nSocial Engineering\r\nFinally, social engineering also works!\r\nMalware authors have been observed directing users on how to override Gatekeeper step-by-step, bypassing any\r\nadditional security controls that admins deployed via MDM.\r\nExample Step by Step Social Engineering\r\nEnter the Lazarus Group\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 7 of 15\n\nDuring my ATT\u0026CKCon talk, I discussed this DPRK adversary in depth, as I tracked this nation-state’s activities\r\nfor a bit. The Lazarus Group is believed to operate out of North Korea, and has been active since 2009, gaining\r\ninfamy over the years for high profile attacks against Sony, WannaCry, and recently JumpCloud, to name a few.\r\nWith the poor state of the North Korean economy, Lazarus Group also is notable in their dual purpose of cyber\r\nespionage and nation-state financing. In 2023, they were heavily observed targeting cryptocurrency companies (no\r\ndoubt, for said self-financing), and cross-platform attacks.\r\nSo why target macOS?\r\nIn recent years, Lazarus Group pivoted their targeting towards a more technical audience, having targeted security\r\nresearchers in 2021 and engineers via social engineering methods using LinkedIn and email. With Operation\r\nDream Job dating back to at least 2020, the Lazarus Group pretended to be cryptocurrency companies (as part of\r\ntheir cryptocurrency financing motives), targeting unsuspecting developers and engineering roles with the promise\r\nof lucrative (fake) jobs. In 2023, they continued this trend, impersonating large tech company recruiters, such as\r\nAmazon. With their targeting of engineers, I would expect their targets to be heavily leveraging macOS laptops.\r\nCurrent desktop trends support this hypothesis. Stack Overflow conducted a survey in 2023, and out of over\r\n87,000 developer responses, we see that macOS is gaining traction at 33%. With this shift, we are observing more\r\nadversaries adapting their tradecraft to be compatible with macOS (and Linux), and I would expect this trend to\r\ncontinue across adversaries.\r\nStack Overflow, 2023\r\nThreat Hunting in VirusTotal\r\nWhat do TCC interactions look like in the wild?\r\nImportant Disclaimer: I am by no means a VirusTotal query pro, and your mileage may vary depending on your\r\nsubscription, date of query, etc.\r\nPulling on a Thread: Ties to North Korea\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 8 of 15\n\nIn tracking and researching Lazarus Group, I noted the heavy use of masquerading and TCC.db related activity.\r\nSpecifically, I observed the following command line:\r\nsqlite3 TCC.db SELECT kTCCServiceSystemPolicyFiles ‘.dump access’\r\nLazarus Group appears to be attempting to dump the access table from the TCC.db, likely to assess what\r\napplications had access to what permissions (FDA). From this command, I tried various iterations keying off of\r\nthe dumped access table:\r\nbehaviour_processes:”TCC.db” AND (type:dmg or type:macho) AND behaviour:”.dump”\r\nResults: An inordinate number of hits 😮\r\nAdding the access table as a criterion:\r\nbehaviour:access AND (type:dmg or type:macho) AND behaviour:”.dump”\r\nResults: 186 hits!\r\nTo my surprise, I received many hits for both queries, and wondered if this were a prolific but undocumented\r\ntechnique. However, upon examining this further, I realized VirusTotal was not using the quotes to denote a literal\r\nstring, but instead treated the `.` as a wildcard, giving me thousands of unwanted results of any macOS file\r\ncontaining the “dump” string. Not to be defeated, I tried another angle. Knowing that the TCC.db is a SQLite3\r\ndatabase, that Lazarus leveraged bash and sqlite3 to run commands, and that many macOS malware will be DMG\r\nor Mach-O binaries, I searched for:\r\nbehaviour_processes:”bash -c sqlite3” (type:dmg OR type:macho) AND behaviour:tcc.db”\r\nResults: 9 hits, all of which were popping up as “CloudMensis” malware. A quick google of CloudMensis gave\r\nme a Eureka moment.\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 9 of 15\n\nCloudMensis is a macOS malware attributed to North Korean adversary APT37 (aka InkSquid, RedEyes,\r\nBadRAT, Reaper or ScarCruft). Pouring into the 9 samples I found on VT, CloudMensis consistently leverages\r\ncsrutil to query the status of SIP protection, grepping for anything disabled, and proceeds to either directly\r\nINSERT into screencapture and FaceTime access or in other samples, add all relevant permissions line by line into\r\nthe TCC.db. In parallel, the actor creates a new database in ~/Library/Application\r\nSupport/com.apple.spotlight/Library/Application Support/com.apple.TCC/ and sets the HOME environment\r\nvariable to ~/Library/Application Support/com.apple.spotlight using launchctl setenv. Lastly, it restarts tccd so that\r\nthe TCC daemon loads the actor-controlled database.\r\n/bin/bash /usr/bin/csrutil csrutil status /usr/bin/grep grep disabled /usr/bin/sqlite3 sqlite3\r\n/Library/Application Support/com.apple. TCC/TCC.db INSERT INTO access\r\nVALUES('kTCCServiceScreenCapture', '/Users/user1/Library/Containers/com.apple.\r\nFaceTime/Data/Library/windowserver', 1, 1, 1, X'', NULL, NULL, 'UNUSED', NULL, NULL, 1711022347)\r\nlaunchctl setenv HOME %@ launchctl stop com.apple.tccd \u0026\u0026 launchctl start com.apple.tccd\r\nCloudMensis Commands from samples in VirusTotal\r\nLooking for command line parameters in VirusTotal, I leveraged this query:\r\ncontent:com.apple.spotlight AND content:launchctl AND content:setenv AND content:com.apple.tccd AND\r\n(content:start and content:stop) NOT (tag:signed OR tag:legit)\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 10 of 15\n\nResults: 35 hits total. Rummaging through the results, 8 hits tied back to CloudMensis.\r\nCloudMensis uses two techniques to bypass TCC, and if successful, gains access to the screen, scans removable\r\nstorage for documents of interest, and logs keyboard events. Performing screen capture requires bypassing TCC\r\nrestrictions via exploiting CVE-2020-9934. Either the target hosts were known to be running macOS Catalina\r\n10.5.6 or earlier, or the malware contained legacy code that the developers forgot to remove.\r\nIf SIP is disabled, CloudMensis adds entries to the TCC.db to grant itself permissions. If SIP is enabled but the\r\nMac is running any version of macOS Catalina earlier than 10.15.6, CloudMensis will exploit a vulnerability to\r\nmake the TCC daemon (tccd) load a database CloudMensis can write to (CVE-2020–9934)\r\nThankfully for defenders, CloudMensis malware seems to be mitigated if enterprises are using up-to-date\r\nMacBook’s and SIP is enabled.\r\nCloudMensis sample that uses INSERT statements line by line in the TCC.db\r\nCasting A Wide Net: Keyloggers, Adware, Trojans, Oh My!\r\nIt is likely (if not inevitable) that attackers within the same nation-state will share code or adversarial practices.\r\nThe DPRK is clearly no stranger to TCC abuse. I was curious how often other malware authors abused the TCC\r\nframework. I decided to start broadly in my queries, looking for ANY TCC interactions.\r\nbehaviour_processes:TCC.db\r\nResults: 37 hits! Less than half were confirmed malware: Bundlore, CloudMensis again, Callisto (which I will\r\ndetail below), the BlueBlood keylogger, and unspecified macOS Trojans the antiviruses comprising VirusTotal\r\nhave yet to label.\r\nI am assuming the BlueBlood keylogger samples I have corresponds to the BlueBlood keylogger that has been\r\naround for years. It uses INSERT or REPLACE to add access for appID, “com.applle.blblu,” named in this\r\nfashion likely to masquerade as an Apple sanctioned appID for the accessibility list on macOS\r\n(kTCCServiceAccessibility).\r\nBundlore is a notorious macOS adware that has also been around since 2015 and gained notoriety in 2019.\r\nBundlore, in older versions, will modify the TCC in a similar way to BlueBlood; i.e. if macOS version is 10.12 or\r\nolder and Safari version is 10.0 or older, it modifies the TCC.db to enable AppleScript accessibility access to\r\napplications like Terminal, Safari, Apple Remote Desktop Agent, or Bash, so that it can interact with them.\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 11 of 15\n\nIn other Bundlore samples, I noted the use of the cp command to copy the entire TCC.db as a backup.\r\ncp –f “/Library/Application Support/com.apple.TCC/TCC.db” “/Library/Application\r\nSupport/com.apple.TCC/TCC.db.bak\r\nBoth Bundlore and BlueBlood leveraged insert and replace logic, so I narrowed my search to home in on these\r\ntactics, starting with REPLACE.\r\n(type:dmg OR type:macho) and (behaviour:REPLACE and behaviour:sqlite3 and behavior:tcc.db) and NOT\r\n(tag:signed)\r\nResults: 4 hits attributed to Callisto, a different macOS backdoor that some sources state serves as the forerunner\r\nof the Proton family of malware. Notably, like Bundlore, it leveraged insert and replace commands to manipulate\r\nthe TCC.db.\r\nNote: I reran the same query without the unsigned qualifier, and still got the 4 Callisto hits, which indicates that at\r\nthe very minimum, the 4 Callisto samples were all unsigned. I’ll dive into unsigned and ad hoc signed binaries in\r\na future writeup.\r\nIt is worth noting that CoreServices folder (hidden in the System Library folder), which among other things,\r\ncontrols which apps have Accessibility authorization, became protected under SIP in 10.12 Sierra, so Callisto\r\nmalware, like many malware that abuse TCC, will fail on SIP-protected machines running Sierra or later.\r\nRepeating this query with INSERT commands:\r\n(type:dmg or type:macho) and (behaviour:INSERT and behaviour:sqlite3 and behaviour:tcc.db) AND NOT\r\n(tag:signed)\r\nResults: 11 hits, 10 of which were confirmed malware samples (but the “unconfirmed” sample looked highly\r\nsuspicious).\r\nNote: I added signature status again to test my hypothesis, and all samples were in fact unsigned.\r\nCombining all of the observed TCC.db abuse commands:\r\n(behaviour:tcc.db and behaviour:sqlite3) AND (behavior:SELECT OR behaviour:INSERT OR\r\nbehaviour:REPLACE or behaviour:cp)\r\nResults: 41 hits, less than half were confirmed malware. I’ll take it!\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 12 of 15\n\nNot on the Guest List\r\nAs I was pouring over samples and hits from my VT hunts, it dawned on me that a few malware campaigns that I\r\nknow interacted with TCC were notably absent from my results.\r\nJokerSpy is a malware leveraging SwiftBelt that targeted a cryptocurrency exchange in Japan, installing\r\nbackdoors and deploying spyware.  It creates a new TCC database and replaces the existing legitimate TCC\r\ndatabase, leveraging the binaries xcc and cp.\r\nCreation of actor-controlled TCC.db.\r\nSource: Elastic\r\nInterestingly enough, JokerSpy samples did not show up in my TCC.db query results. It is therefore likely that the\r\ncopying of the TCC and related interactions via command line were decoupled from the JokerSpy malware itself,\r\nthus not triggering on VT.\r\nXCSSET\r\nWhile I was researching TCC bypasses, I came across XCSSET, another malware sample absent from my VT hunt\r\nresults. Digging into how this campaign operates, the developers of XCSSET used three zero-days to bypass\r\nprivacy protections, the last of which was used to bypass TCC framework, allowing them to take screen captures\r\nby hijacking the entitlements of other apps on the system. XCSSET malware is hardcoded with a list of apps it\r\nexpects to have screen capture permissions, such as Zoom, Discord, WhatsApp, Teamviewer, etc. Using mdfind, it\r\nchecks if the appIDs of those apps are present. If present, it will inject its own malicious app into the bundle of\r\nany of those apps, that way they can piggyback off the screen sharing permission granted to apps as part of their\r\nnormal operation. From the XCSSET samples I found, the XCSSET AppleScript screenshot modules, downloaded\r\nfrom the malware author’s command and control (C2) server were responsible primarily for the TCC bypass, and\r\ndid not key off any TCC.db strings or sqlite3 commands.\r\nIf XCSSET fails to find or inject into those apps, it will impersonate Finder to ask user to grant Finder access. The\r\nmalicious app can take screenshots or record the screen without needing explicit consent from the user because it\r\ninherits those TCC permissions from the parent app.\r\nRecommendations for Blue Teamers:\r\nObviously, use up-to-date systems and implement strict patching hygiene.\r\nIf possible, disable FDA access to the terminal. If not possible, at minimum restrict access to the Terminal\r\nvia an MDM solution or a security product.\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 13 of 15\n\nIf possible, leverage an MDM solution to set privacy preferences via profiles.\r\nAs a last (nuclear) option, you can reset TCC settings with tccutil\r\n# Reset all permissions given to an application:\r\ntccutil reset All app_id_here\r\n# Reset the permissions granted to all apps:\r\ntccutil reset All\r\nEnable Apple’s protections, especially SIP. Configure security alerting to any disabling of SIP (typically\r\naccomplished via csrutil).\r\nControl permissions relating to software downloads or launches via MDM and/or application allow/deny\r\nlists via a security product.\r\nAs always, user education is important. Educate your end users on common social engineering, and the\r\nrepercussions of disabling security features like SIP.\r\nExercise least privilege, only granting apps relevant permissions, and removing if no longer needed.\r\nMonitor sensitive directories that are not protected by TCC.\r\nConclusion\r\nIn this blog post, we have seen how the TCC has been abused and bypassed historically and continues to be a\r\ntarget by modern-day adversaries. In addition, we have looked at procedural examples of commands run by\r\nnation-state adversaries (in particular, the DPRK) and common macOS malware campaigns over the years,\r\nincluding adware, spyware, keyloggers, and trojans, and ways to detect these behaviors. We also examined how\r\nmalware authors have leveraged interactive or decoupled commands to perform TCC.db manipulation, possibly as\r\na means of file-based detection evasion.\r\nGiven the growth of macOS in the industry, it is critical for security teams to understand and secure enterprise\r\nacross platforms.\r\nTakeaways, Caveats, Final Thoughts\r\nI went through a ton of threat hunting examples, and I would like to caveat that just because we did not see hits in\r\nVT does not mean these techniques are not happening in the wild. As we saw with my initial example from\r\nLazarus Group dumping the TCC.db, it is likely that malware authors are decoupling their commands from their\r\nmalware. VirusTotal will only show malware strings and commands, whereas adversaries can and will run\r\ninteractive commands when they have access to the system. Yara signatures are also file-based in nature and will\r\nnot detect fileless behaviors distinct and separate from malware. Having up-to-date antivirus definitions is not\r\nenough. Alert on command-line activities that may stem from interactive or decoupled activities.\r\nAdditionally, VirusTotal (and other sources) will change their signatures as more security vendors and community\r\ncontributors flag malicious activity. These were my results at the time of queries run. Your mileage may vary\r\ndepending on what type of VirusTotal account you have (free vs enterprise, paid version), and if you used free text\r\nsearch or “content,” or “behaviour” search criteria.\r\nAdversaries will pivot based on how the security and IT landscape changes, whether it be increasing macOS\r\nusage, migrating to the cloud, etc. It is important that security teams are not myopic in their defenses.\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 14 of 15\n\nAppendix\r\nOther Techniques – Discovery\r\nAdversaries performed TCC.db privacy setting enumeration and discovery by using SELECT statements in\r\nsqlite3:\r\nOn macOS 11 BIG SUR and later:\r\nsudo sqlite3 /Library/Application Support/com.apple.TCC/TCC.db “SELECT client,auth_value FROM access\r\nWHERE service==’kTCCServiceSystemPolicyAllFiles” | grep ‘2’$\r\nOn macOS 10.15 Catalina and earlier:\r\nsudo sqlite3 /Library/Application Support/com.apple.TCC/TCC.db “SELECT client,auth_value FROM access\r\nWHERE service==’kTCCServiceSystemPolicyAllFiles” | grep ‘1’$\r\nComing Back Empty Handed from the (VirusTotal) Hunt\r\nQuerying for Full Disk Access\r\ncontent:kTCCServiceSystemPolicyAllFiles or behaviour:kTCCServiceSystemPolicyAllFiles\r\n3 hits: (at the time of discovery) a day-old Pearcleaner macOS trash cleaner opensourced on Github. It is unclear if\r\nthis is a viable or high-fidelity query currently.\r\nTo mount or not to mount\r\nI investigated the apfs mounting bypass I detailed earlier, noting the “noowners” flag.\r\n(type:dmg or type:macho) behaviour:mount behaviour:noowners\r\nResults: 6 hits, all benign.\r\nbehaviour:attach AND behavior:mountpoint AND behavior:com.apple.TCC\r\nResults: 1hit, an Adobe update script\r\n(type:dmg or type:macho) AND behaviour:mount AND behavior:apfs AND behaviour:noowners\r\nResults: 4 hits, all benign.\r\nKeying off of “noowners” and various mounting parameters, there did not seem to be a use case for this occurring\r\nin the wild. Notably, there were very few hits, and all were false positives. It is also possible that a malicious actor\r\ncould do this interactively (or hands-on-keyboard), again decoupling it from the malware/file itself. However,\r\ngiven the low frequency in which this type of mounting behavior occurs, it still might be a worthwhile detection\r\nopportunity in an EDR or SIEM solution.\r\nSource: https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nhttps://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/" ], "report_names": [ "return-of-the-macos-tcc" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-29T06:58:57.57766Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-29T06:58:57.558868Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-29T06:58:58.283088Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-29T06:58:56.251544Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "SEABORGIUM", "TA446", "GOSSAMER BEAR", "BlueCharlie", "Blue Callisto", "COLDRIVER", "Star Blizzard", "TAG-53", "IRON FRONTIER", "UNC4057" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-29T06:58:57.777903Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-29T06:58:56.314134Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Moldy Pisces", "Group 123", "APT 37", "Venus 121", "ATK4", "G0067", "APT-C-28", "Operation Daybreak", "Operation Erebus", "Reaper Group", "Red Eyes", "ScarCruft", "Group123", "InkySquid", "Ricochet Chollima" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-29T06:58:57.590171Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-29T06:58:56.209334Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Unit 121", "Group 77", "Operation Troy", "Nickel Academy", "ATK117", "Citrine Sleet", "Dark Seoul", "NewRomanic Cyber Army Team", "APT 38", "Whois Hacking Team", "APT-C-26", "COVELLITE", "ATK3", "DEV-0139", "Diamond Sleet", "Sapphire Sleet", "COPERNICIUM", "TA404", "Subgroup: Bluenoroff", "Labyrinth Chollima", "Appleworm", "NICKEL GLADSTONE", "DEV-1222", "Lazarus group", "BeagleBoyz", "Moonstone Sleet", "Operation DarkSeoul", "Hidden Cobra", "Hastati Group", "Andariel", "G0082", "Black Artemis", "Bureau 121", "G0032", "Stardust Chollima", "Bluenoroff", "Operation GhostSecret", "Operation AppleJeus", "APT38" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-29T06:58:56.71798Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-29T06:58:57.694787Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-29T06:58:57.896936Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-29T06:58:58.1252Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-29T06:58:57.971881Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429298, "ts_updated_at": 1777450932, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b7379363ff30208137df63589f03fe755886953.pdf", "text": "https://archive.orkl.eu/8b7379363ff30208137df63589f03fe755886953.txt", "img": "https://archive.orkl.eu/8b7379363ff30208137df63589f03fe755886953.jpg" } }