Vulnarex | Elite Cybersecurity Learning Platform

#How Malware Sneaks Past TCC and Stays on Your Mac#link

macOS's TCC system protects the camera, mic, and disk, but malware like Silver Sparrow and XCSSET have demonstrated TCC bypass techniques—injecting into trusted apps or modifying the database with admin privileges. This lesson examines these bypass methods and the persistence mechanisms (LaunchAgents, cron, etc.) that allow malware to survive reboots, so you can configure defenses that catch these advanced threats.

TCC Bypass: Code Injection and Database Modification

If an attacker gains admin access, they can modify the TCC database directly using sqlite3, granting their malware Full Disk Access without a user prompt. Even without admin, they can inject code into a trusted application that already has FDA (e.g., Terminal) using technique like dylib injection or process injection. This bypasses TCC because the trusted app's permissions are inherited. Defending this requires SIP, code signing checks, and restricting accessibility permissions.

bash

# An attacker with admin could add their malware to TCC FDA
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
  "INSERT OR REPLACE INTO access VALUES('kTCCServiceSystemPolicyAllFiles','com.malware.agent',0,2,2,1,NULL,NULL,'UNUSED',NULL,0,0);"
# This grants Full Disk Access without a prompt.

The defense is to monitor TCC database for unauthorized modifications (audit with osquery) and prevent admin access from falling into attacker hands.

Common macOS Persistence Mechanisms

Malware persists via LaunchAgents (~/Library/LaunchAgents/), LaunchDaemons (/Library/LaunchDaemons/), cron jobs, login items, and even malicious Safari extensions. Attackers also use 'at' jobs and the /etc/periodic directories. A comprehensive persistence audit is required: list all launch items with 'launchctl list', check crontabs, and inspect login items via System Preferences or MDM query.

Persistence Method	Location	Detection Technique
LaunchAgent	~/Library/LaunchAgents/	launchctl list; check for unsigned plists
LaunchDaemon	/Library/LaunchDaemons/	Requires root; check with osquery
Login Items	System Preferences → Users → Login Items	MDM query or profile inspection
Cron jobs	crontab -l; /etc/crontab	Regular audit; lock cron with permissions

Defensive Configuration: TCC, SIP, and MDM Restrictions

To combat TCC bypass and persistence, ensure SIP is enabled, apply MDM restrictions that prevent users from approving unknown apps, deploy a PPPC profile to pre-approve only necessary enterprise apps, and monitor for new persistence objects via osquery or EDR. Also, enable 'Require password' immediately after sleep/screensaver to reduce physical access attack window.

▪Monitor TCC database integrity with osquery: SELECT * FROM tcc_access; alert on new entries.
▪Restrict LaunchAgents/Daemons write permissions to admin only.
▪Use MDM to enforce 'Allow UI Application Settings' = restricted, preventing user from modifying login items.
▪Deploy an EDR that can detect dylib injection and suspicious process behavior.

STRICT SECURE AUDIT RULE

⚠️ A LaunchAgent that references a plist in a user-writable directory can be modified by the user, leading to persistence. Ensure plists are owned by root and are not writable by others.

quiz BLOCK (★ 50 XP)

An attacker with admin access wants to exfiltrate all documents without being prompted by TCC. What would they likely do?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

macOS Persistence Investigation