--- title: "Prevent TCC Database Tampering | Security Cookbook" description: "Restrict TCC.db writes to Apple tccd daemon, blocking malware from granting itself camera, microphone, and contacts access on macOS." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/prevent-tcc-tampering" --- [Back](https://northpole.security/cookbook) ### Idea macOS Transparency, Consent, and Control (TCC) is the system that manages privacy permissions - deciding which apps can access the camera, microphone, contacts, calendar, location, and other sensitive data. All these permissions are stored in SQLite databases called TCC.db. There are two TCC databases: - System-level: /Library/Application Support/com.apple.TCC/TCC.db - User-level: ~/Library/Application Support/com.apple.TCC/TCC.db Attackers who can modify these databases can grant themselves access to any protected resource without triggering permission prompts. This allows malware to: - Enable camera and microphone access silently - Read contacts and calendar data - Access photos and location data - Bypass all TCC protections Even with System Integrity Protection (SIP), the user-level TCC database can be vulnerable to tampering if the user has admin rights or if malware exploits vulnerabilities. This file access rule locks down both TCC databases so only the system TCC daemon (tccd) can write to them, preventing unauthorized permission grants. ### Solutions File AccessProtect TCC Database Restrict TCC database write access to tccd only Paths - • /Users/\*/Library/Application Support/com.apple.TCC/TCC.db - • /Users/\*/Library/Application Support/com.apple.TCC/TCC.db-shm - • /Users/\*/Library/Application Support/com.apple.TCC/TCC.db-wal - • /Library/Application Support/com.apple.TCC/TCC.db - • /Library/Application Support/com.apple.TCC/TCC.db-shm - • /Library/Application Support/com.apple.TCC/TCC.db-wal Policy ALLOWLIST Access Type write Processes - • Signing ID:platform:com.apple.tccd Custom Message TCC database can only be modified by the system TCC daemon ### Mitre Attack Tactics [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)[Defense Impairment](https://attack.mitre.org/tactics/TA0112/) Techniques [T1068: Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/)[T1685: Disable or Modify Tools](https://attack.mitre.org/techniques/T1685/) ### Tags tccprivacypermissionsprivilege-escalation ### Deployment Notes This rule protects the TCC database files including: - TCC.db: The main SQLite database - TCC.db-shm: SQLite shared memory file - TCC.db-wal: SQLite write-ahead log All three files must be protected for complete security, as SQLite uses all three files during operation. The rule blocks write access but allows read access, so security tools can still audit TCC permissions. Note: This does NOT prevent legitimate permission grants through System Settings or TCC prompts - those go through tccd which is explicitly allowed. ### False Positive Guidance Only the TCC daemon (tccd) should legitimately write to these databases. However, some edge cases may need consideration: - Security tools that audit TCC permissions (should only need read access) - Migration tools when setting up new Macs (run during setup before this rule is active) - MDM tools that pre-configure TCC (should use proper APIs, not direct database access) If you have legitimate tools that need to modify TCC, work with the vendor to use proper Apple APIs instead of direct database manipulation. ### Testing Instructions 1. Try to directly modify TCC.db: `sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access"` (read should work) 2. Try to write to TCC.db: `sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "DELETE FROM access WHERE client='test'"` (should be blocked) 3. Grant permission through System Settings (should work normally) 4. Verify apps can still request TCC permissions through normal prompts (should work) ### Detection Methods Monitor FAA events for blocked attempts to write to TCC.db files. This is a high-signal alert - any attempt to directly write to TCC.db is suspicious. Look for: - Scripts or compiled code trying to modify TCC.db - Database tools (sqlite3, DB Browser) trying to write to TCC.db - Unknown processes attempting TCC.db access Legitimate TCC changes always go through tccd, never through direct database writes. ### Resources [Objective-See: TCC ExploitationTake a look](https://objective-see.com/blog.html)[MITRE ATT&CK - Disable or Modify ToolsTake a look](https://attack.mitre.org/techniques/T1685/) ### Related Rules [ Defense EvasionExecution #### Prevent Gatekeeper from Being Disabled Block spctl from disabling macOS Gatekeeper protections, stopping attackers and social engineering attempts from weakening signature enforcement. ](https://northpole.security/cookbook/prevent-gatekeeper-disable)[ Privilege Escalation PreventionFile Access #### Prevent Sudoers Configuration Tampering Block direct writes to /etc/sudoers and sudoers.d except via sudo, stopping attackers from creating persistent root privilege escalation backdoors. ](https://northpole.security/cookbook/protect-sudoers) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)