Who has full-disk access?
After reading a Tweet from Wojciech Reguła (@_r3ggi), sharing 3 articles from F-Secure Labs’ blog posts concerning bypassing MacOS’ Transparency, Consent and Control (TCC) by Luke Roberts (@rookuu_) and Calum Hall (@_calumhall), my colleagues Christopher Ross (@xorrior), Andy Grant (@andywgrant), and I took part in some discussion concerning the topic.
Later Chris had been putting together some great documentation on MacOS post-exploitation situational awareness for Red Team Operations and I wondered if it might be worth adding in checks on the TCC database to see which applications have full disk access (FDA) on the victim host. Listing the contents of this sqlite3 database can be done from the terminal using the following command:
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db ‘select * from access’
One Caveat to this is that the terminal must be granted FDA by TCC in order to access the database using the command above.
Originally, I was going to attempt to import TCC.framework into the JXA payload, but after talking to my good friend and former colleague Cedric Owens (@cedowens) he had suggested simply importing sqlite3 as he had done in his Swift, GitHub project pict-Swift. He also did a google search and found an obscure article by TitanWolf pertaining to using sqlite3 in JXA that he then shared with me.
Time to dev!
First a bit about TCC
Transparency, Consent, & Control is basically MacOS’ equivalent to Window’s User Account Control (UAC). It requires that users consent via prompt, to access user data and some system resources.
The TCC daemon (tccd) waits for requests and checks access in the TCC.db. There is one sqlite3, TCC.db per user, and one for root. They are located at
~/Library/Application Support/com.apple.TCC/TCC.db and
/Library/Application Support/com.apple.TCC/TCC.db , respectively.
The first run of my code (PrintTCCdb)is a JXA payload that can be imported into Cody Thomas’ (@its_a_feature_) Mythic C2 framework, Apfell agent using the
jsimport command to import my
printTCC.js code and then running the
jsimport_call on the
print_tccdb()function. If you have an Apfell agent calling back to your Mythic C2, and the terminal has FDA the function will return the root TCC.db.
Next, I will be adding arguments to the function so that the C2 user can specify which TCC.db to enumerate (current user, root, or another user of that host).
As always, thanks for reading and stand-by for more sauce!