Who has full-disk access?

Enumerating TCC.db with JXA

After reading a Tweet from Wojciech Reguła (@_r3ggi), sharing 3 articles from F-Secure Labs’ blog posts concerning bypassing MacOS’ Transparency, Consent and Control (TCC) by Luke Roberts (@rookuu_) and Calum Hall (@_calumhall), my colleagues Christopher Ross (@xorrior), Andy Grant (@andywgrant), and I took part in some discussion concerning the topic.

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db ‘select * from access’

First a bit about TCC

Transparency, Consent, & Control is basically MacOS’ equivalent to Window’s User Account Control (UAC). It requires that users consent via prompt, to access user data and some system resources.

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's