Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.
Rule type: eql
Risk score: 47
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
- Defense Evasion
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
process where event.type in ("start", "process_started") and process.name : "sqlite*" and process.args : "/*/Application Support/com.apple.TCC/TCC.db"