{"id":10508,"date":"2021-04-14T09:00:00","date_gmt":"2021-04-14T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/"},"modified":"2021-04-14T09:00:00","modified_gmt":"2021-04-14T08:00:00","slug":"attack-detection-fundamentals-2021-macos-lab-3","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/","title":{"rendered":"Attack Detection Fundamentals 2021: macOS &#8211; Lab #3"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: macOS &#8211; <span class=\"blue-text\">Lab #3<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                14.04.2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Jaa t\u00e4m\u00e4                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_196b4f342296fc190741d08bd4e48878\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Calum Hall<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Luke Roberts<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Sis\u00e4ll\u00f6n navigointi            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Valitse jakso                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>As we enter the final Lab of WithSecure Consulting&#x27;s Attack Detection Fundamental&#x27;s macOS workshop we must reflect on what we have a covered so far. To this point we have analysed potential initial access techniques, how attackers may then persist on compromised devices, and how these attacks may be detected.<\/p>\n<p>A recording of this workshop series can be found <a href=\"https:\/\/www.youtube.com\/watch?v=A6rSlavcF4Q\" target=\"_blank\" rel=\"noopener\">here<\/a> and the slides are available <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-2-macos_2021-04-14.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>Now within this workshop we are going to take an alternative angle &#8211; what can an attacker do once on the device? This post exploitation workshop focusses on bypassing certain security and privacy controls that Apple has included within macOS. The objective of this lab will be to demonstrate the background behind the target control, how it benefits users and importantly how it can be bypassed. Following the theme of this series, we will then highlight key events within this type of attack that we can develop detection points around.<\/p>\n<h2>Background<\/h2>\n<p>Picture the scene &#8211; you&#x27;ve popped a shell on your target&#x27;s box, compromised their credentials and yet you&#x27;re still getting permission denied when attempting to access their documents. This would be the work of Apple&#x27;s Transparency, Consent &amp; Control (TCC) security mechanism. In short, TCC utilises a database file on disk that keeps track of the functionality and storage locations within a device a given program is able to access. For example, within the Security &amp; Privacy settings of a macOS device you can view the applications that are permitted to access functionality such as the camera:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop3-7.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>For those of us familiar with macOS devices we have all seen plenty of these access requests:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop3-6.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Upon permitting or denying an application access to a certain component of your device e.g. your webcam, or alternatively a storage location such as your &quot;Documents&quot; folder, TCC stores this response within one of the following databases:<\/p>\n<ul>\n<li>~\/Library\/ApplicationSupport\/com.apple.TCC\/TCC.db<\/li>\n<li>\/Library\/ApplicationSupport\/com.apple.TCC\/TCC.db<\/li>\n<\/ul>\n<h2>Attack<\/h2>\n<p>For the purpose of this workshop, let&#x27;s assume that we have a Terminal\/iTerm instance on our target machine, and we are unable to access our user&#x27;s documents. In an attempt to avoid raising suspicion, we want to find an alternative method of gaining access to these documents without prompting the user.<\/p>\n<p>What about directly editing the &quot;~\/Library\/ApplicationSupport\/com.apple.TCC\/TCC.db&quot; file we mentioned earlier? Unfortunately, to edit the contents of this file, the interacting program must have full disk access. Given that we&#x27;re unable to access the &quot;Documents&quot; folder, we can infer this is something that we do not have. It&#x27;s also worth noting that attempting to access a component\/storage area that has not previously been requested by the program may trigger a prompt for the user, thus alerting them to something suspicious.<\/p>\n<p>Thankfully for offensive operators however, there are ways to bypass this restriction, given that SSH is enabled and we have the credentials for our target user.<\/p>\n<p>By default when enabled, the SSH process is provided with full disk access to the target device:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop3-8.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Consequently, given we have valid credentials for the device, we can SSH locally and provide ourselves with Full Disk Access; subsequently gaining the ability to directly edit the TCC database. To demonstrate the ability to directly interact with the TCC database, we are going to try and provide iTerm with the permissions required to access the &quot;Documents&quot; folder, which as we can see it currently does not possess:<\/p>\n<pre><code class=\"language-bash\">&gt; ls \/Users\/calumhall\/Documents\n\nls: Documents: Operation not permitted<\/code><\/pre>\n<p>Firstly, SSH into the device locally (e.g. ssh calumhall@localhost) and utilise macOS&#x27;s inbuilt sqlite3 tool to alter the ~\/Library\/Application Support\/com.apple.TCC\/TCC.db database. This can be done using one of the following commands depending on whether a permissions entry has already been created within the database:<\/p>\n<pre><code class=\"language-bash\">INSERT INTO access values(&#x27;kTCCServiceSystemPolicyDocumentsFolder&#x27;, &#x27;com.googlecode.iterm2&#x27;, &#x27;0&#x27;, &#x27;2&#x27;, &#x27;2&#x27;, &#x27;1&#x27;, &#x27;&#x27;, &#x27;&#x27;, &#x27;0&#x27;, &#x27;UNUSED&#x27;, &#x27;&#x27;, &#x27;0&#x27;, &#x27;1617801709&#x27;);\n\nUPDATE access SET auth_value=2, auth_reason=2 WHERE client=&quot;com.googlecode.iterm2&quot; AND service=&quot;kTCCServiceSystemPolicyDocumentsFolder&quot;;<\/code><\/pre>\n<p>At which point, upon restarting the application, iTerm will have been provided access to the &quot;Documents&quot; folder:<\/p>\n<pre><code class=\"language-bash\">&gt; ls \/Users\/calumhall\/Documents\/\n\n$RECYCLE.BIN                     Hackfu                 Reading\nBusiness Documents         Presentations          Tools\nDetection Wor                    Research              Training<\/code><\/pre>\n<h2>Detection Methods<\/h2>\n<p>When we break down the attack we just performed, there are two key points of interest that we are able to gather accurate telemetry for:<\/p>\n<ul>\n<li>Local SSH connection<\/li>\n<li>Directly editing the TCC database<\/li>\n<\/ul>\n<p>As you will notice throughout this workshop we employ a variety of open source tools to analyse and gather telemetry. This is largely to encourage you to use whatever solution works best for your environment, here we have predominantly used Objective-See&#x27;s tools as they are open source and easy to use. The telemetry these tools gather is largely collected from Apple&#x27;s inbuilt utilities, and hence these events should be solution agnostic.<\/p>\n<h3>Local SSH Connection<\/h3>\n<p>Detecting an SSH connection, something we&#x27;ve done a thousand times with other operating systems, easy right? Well kind of. As with many of the attacks discussed within this workshop there are plenty of detection methods, here let&#x27;s discuss the pros and cons of each of the following:<\/p>\n<ul>\n<li>Network connection monitoring<\/li>\n<li>Process monitoring (ESF)<\/li>\n<li>SSH logging<\/li>\n<li>Unified log entries<\/li>\n<\/ul>\n<p>Now firstly prior to hopping into analysing any networking activity from the device it is important to call out the challenges we face with macOS devices. To fully utilise networking telemetry on macOS, you must be using software that uses a network extension. As this can be a challenge to acquire, this is not something we will cover in this workshop, however most EDR solutions should have this capability. Hence, that is likely to be the greatest source of telemetry for detecting local SSH connections.<\/p>\n<p>For the purpose of this workshop let&#x27;s use Objective-See&#x27;s NetIQuette network monitoring tool (<a href=\"https:\/\/objective-see.com\/products\/netiquette.html\" target=\"_blank\" rel=\"noopener\">https:\/\/objective-see.com\/products\/netiquette.html<\/a>), to identify our SSH connection (ssh calumhall@localhost):<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/workshop3-9.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Interestingly, localhost in this instance has resolved to the host&#x27;s IPv6 local address ::1 rather than 127.0.0.1. Not that this makes a difference, as I&#x27;m sure we are capable of monitoring for connections to both local addresses. This tool however is designed for individual users, not to aid detection at scale, and as such we must investigate alternative methods.<\/p>\n<p>So how about ProcessMonitoring? We&#x27;ve seen so far throughout this workshop that process monitoring via the ESF has proved successful, let&#x27;s hope it is once more. Realistically all we are interested in with this scenario is any SSH connection that is being performed against the local device. Hence, we don&#x27;t need to worry all that much around the behaviour of anything past the initial SSH connection. The following event is generated by the ESF upon a local user initiating an SSH connection:<\/p>\n<pre><code class=\"language-bash\">&gt; .\/ProcessMonitor.app\/Contents\/MacOS\/FileMonitor -pretty\n\n[...redacted...]\n{\n&quot;event&quot;: &quot;ES_EVENT_TYPE_NOTIFY_EXEC&quot;,\n&quot;timestamp&quot;: &quot;2021-04-08 15:11:46 +0000&quot;,\n&quot;process&quot;: {\n&quot;pid&quot;: 11838,\n&quot;name&quot;: &quot;ssh&quot;,\n&quot;path&quot;: &quot;\/usr\/bin\/ssh&quot;,\n&quot;uid&quot;: 501,\n&quot;architecture&quot;: &quot;Intel&quot;,\n&quot;arguments&quot;: [\n&quot;ssh&quot;,\n&quot;calumhall@localhost&quot;\n],\n&quot;ppid&quot;: 10555,\n&quot;rpid&quot;: 5205,\n&quot;ancestors&quot;: [\n5205,\n1\n],\n&quot;signing info (reported)&quot;: {\n&quot;csFlags&quot;: 570522385,\n&quot;platformBinary&quot;: 1,\n&quot;signingID&quot;: &quot;com.apple.openssh&quot;,\n&quot;teamID&quot;: &quot;&quot;,\n&quot;cdHash&quot;: &quot;B40199DE8184503EAD472866D76DFD98D319BE56&quot;\n},\n&quot;signing info (computed)&quot;: {\n&quot;signatureID&quot;: &quot;com.apple.openssh&quot;,\n&quot;signatureStatus&quot;: 0,\n&quot;signatureSigner&quot;: &quot;Apple&quot;,\n&quot;signatureAuthorities&quot;: [\n&quot;Software Signing&quot;,\n&quot;Apple Code Signing Certification Authority&quot;,\n&quot;Apple Root CA&quot;\n]\n}\n}\n}<\/code><\/pre>\n<p>Of interest to ourselves in this scenario is the arguments included in the SSH event. We can see the destination this user is connecting to is &#x27;localhost&#x27;, hence we can filter for instances such as:<\/p>\n<ul>\n<li>localhost<\/li>\n<li>127.0.0.1<\/li>\n<li>::1<\/li>\n<\/ul>\n<p>However, whilst we can use process monitoring, surely there has got to be some inbuilt logging for SSH that we can gather this telemetry from? Well if we look at \/var\/log\/system.log after a successful local SSH attempt we can see that something happened however, it&#x27;s not of much use:<\/p>\n<pre><code class=\"language-bash\">Apr 8 16:44:43 Calums-MacBook-Pro sshd: calumhall [priv][12162]: USER_PROCESS: 12165 ttys003<\/code><\/pre>\n<p>Similarly, the entries within the Unified Log do not appear to provide any great amount of value.<\/p>\n<p>To summarise, we are able to detect certain indicators from process monitoring, however the most valuable form of telemetry is going to come from monitoring network activity. Whilst we were not able to fully demonstrate this type of telemetry within this lab, for those of you deploying EDR solutions to your devices you should be able to gather this telemetry with ease.<\/p>\n<p>Alternatively, the likes of Objective-See&#x27;s Netiquette can be periodically executed from the command line on target devices. This way we can periodically gather information about the active network connections on the target devices.<\/p>\n<h3>Directly Editing the TCC Database<\/h3>\n<p>Secondly, let us once more investigate the ESF&#x27;s ability to monitor files activity on device.<\/p>\n<pre><code class=\"language-bash\">&gt; sudo .\/FileMonitor.app\/Contents\/MacOS\/FileMonitor -pretty\n\n[...redacted...]\n{\n&quot;event&quot;: &quot;ES_EVENT_TYPE_NOTIFY_WRITE&quot;,\n&quot;timestamp&quot;: &quot;2021-04-07 21:36:08 +0000&quot;,\n&quot;file&quot;: {\n&quot;destination&quot;: &quot;\/Users\/calumhall\/Library\/Application Support\/com.apple.TCC\/TCC.db&quot;,\n&quot;process&quot;: {\n&quot;pid&quot;: 6088,\n&quot;name&quot;: &quot;sqlite3&quot;,\n&quot;path&quot;: &quot;\/usr\/bin\/sqlite3&quot;,\n&quot;uid&quot;: 501,\n&quot;architecture&quot;: &quot;Intel&quot;,\n&quot;arguments&quot;: [],\n&quot;ppid&quot;: 5902,\n&quot;rpid&quot;: 5897,\n&quot;ancestors&quot;: [\n5897,\n1\n],\n&quot;signing info (reported)&quot;: {\n&quot;csFlags&quot;: 570522385,\n&quot;platformBinary&quot;: 1,\n&quot;signingID&quot;: &quot;com.apple.sqlite3&quot;,\n&quot;teamID&quot;: &quot;&quot;,\n&quot;cdHash&quot;: &quot;1D70249C9DFE22B9A20903424ACE0C010B630CA0&quot;\n},\n&quot;signing info (computed)&quot;: {\n&quot;signatureID&quot;: &quot;com.apple.sqlite3&quot;,\n&quot;signatureStatus&quot;: 0,\n&quot;signatureSigner&quot;: &quot;Apple&quot;,\n&quot;signatureAuthorities&quot;: [\n&quot;Software Signing&quot;,\n&quot;Apple Code Signing Certification Authority&quot;,\n&quot;Apple Root CA&quot;\n]\n}\n}\n}\n}<\/code><\/pre>\n<p>As observed from the event generated above, we can create a high fidelity detection point by monitoring for the SQLite3 tool directly accessing the TCC.db file. Given that the Apple ecosystem interacts with the TCC.db database using the TCC Daemon (tccd). We can safely say that any direct access of the TCC.db file in this manner is likely malicious.<\/p>\n<h2>Conclusion<\/h2>\n<p>Within this lab we have demonstrated that the TCC mechanism may prove to be a sufficient security control against attackers with low privileged accounts on a device without SSH enabled. However, we have also shown that whilst TCC may prove a hurdle to offensive operators, it can be trivially bypassed given the necessary pre-requisites are met.<\/p>\n<p>By investigating the telemetry for such an attack we have found the following detection points to be likely indicators:<\/p>\n<ul>\n<li>Local SSH connections<\/li>\n<li>Direct editing of the TCC database<\/li>\n<\/ul>\n<h3>References<\/h3>\n<p>Special shoutout to the following researchers whose work has formed the basis of this workshop series:<\/p>\n<ul>\n<li>Patrick Wardle<\/li>\n<li>Cody Thomas<\/li>\n<li>Michael Jack<\/li>\n<li>Cedric Owens<\/li>\n<li>Csaba Fitzl<\/li>\n<li>Jaron Bradley<\/li>\n<li>Guillaume Ross<\/li>\n<li>Howard Oakley<\/li>\n<li>Phil Stokes<\/li>\n<li>Madhav Bhatt<\/li>\n<li>Adam Chester<\/li>\n<\/ul>\n<p>And to anyone else that we have inevitably forgotten to mention.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20macOS%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: macOS &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/darkgate-rises\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/reverse-engineering-a-lumma-infection\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/machine-learning-driven-malware-analysis\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>This post exploitation workshop focusses on bypassing certain security and privacy controls that Apple has included within macOS. <\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[302,326],"labs_content_type":[305],"class_list":["post-10508","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: macOS &#8211; Lab #3<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">This post exploitation workshop focusses on bypassing certain security and privacy controls that Apple has included within macOS. <\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-macos-lab-3\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10508"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}