Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1474: Analytic 1474

Unauthorized modification of TCC.db followed by elevated process execution under a trusted parent (e.g., Finder, SystemUIServer) or via launchctl environment override. Also includes identification of SIP being disabled, which is highly uncommon and a prerequisite for this abuse path.

EnterpriseAN1474AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to a macOS privacy-control bypass pattern: unauthorized changes to TCC.db, followed by execution under a trusted parent process such as Finder or SystemUIServer, or through a launchctl environment override. The description also calls out disabled System Integrity Protection (SIP) as highly uncommon and a prerequisite for this abuse path. For leaders, the value is not only detecting one event, but validating whether macOS fleet controls, endpoint telemetry, and incident workflows can prove when privacy permissions and core protection states have been tampered with.

Executive priority

Prioritize this as a macOS endpoint integrity and compliance-evidence issue. If an organization relies on macOS for privileged users, developers, executives, or regulated workflows, unauthorized TCC.db modification and disabled SIP can undermine privacy permissions and weaken trust in endpoint state. Security leaders should ask whether the organization can inventory SIP status, detect changes to TCC.db, and correlate suspicious execution lineage involving trusted macOS parent processes. This is especially relevant for SOC readiness, incident response scoping, and audit evidence around endpoint hardening.

Technical view

Validate coverage on macOS for three evidence points from the ATT&CK analytic description: modification of TCC.db, elevated process execution under trusted parents such as Finder or SystemUIServer, and launchctl environment override activity. Because the official detection field is not provided and no relationships are supplied, teams should treat this as a detection-engineering prompt rather than a complete rule. Practical validation should focus on whether endpoint logging can capture file/database changes to TCC.db, process creation with parent-child lineage, elevated execution context, launchctl usage, and SIP status. Correlation is important: any one signal may be noisy or administrative, but the combination of TCC.db modification, unusual trusted-parent execution, launchctl environment manipulation, or disabled SIP should be reviewed with higher priority.

Likely telemetry

  • macOS endpoint process creation events with parent and child process lineage
  • File or database modification telemetry for TCC.db
  • Command or process telemetry involving launchctl environment changes
  • Endpoint posture or system state telemetry showing SIP enabled or disabled
  • Privilege/elevation context for executed processes

Detection direction

  • Confirm that macOS telemetry includes process parent-child relationships for trusted parents named in the analytic description, including Finder and SystemUIServer.
  • Validate that changes to TCC.db are logged with enough context to identify the modifying process, user, host, and time.
  • Monitor for disabled SIP as a high-signal posture condition, while confirming approved exceptions before escalation.
  • Correlate TCC.db modification with subsequent elevated execution or launchctl environment override behavior instead of relying on a single event in isolation.
  • Tune for administrative maintenance, troubleshooting, or managed-device workflows that may legitimately touch privacy permissions or system configuration.

Mitigation priorities

  • Establish a baseline for SIP status across managed macOS endpoints and investigate systems where SIP is disabled without an approved exception.
  • Harden macOS management practices so privacy permission changes are controlled, documented, and attributable through approved administration workflows.
  • Ensure endpoint monitoring or MDM can provide evidence of TCC.db changes, process lineage, and SIP posture for incident response and compliance review.
  • Restrict and review privileged administrative access on macOS systems, especially for users or devices with sensitive business access.
  • Create IR triage guidance for suspected TCC.db tampering that includes host isolation criteria, user impact assessment, and validation of endpoint protection state.
Analyst notes and limits

This object is a detection analytic, not a technique object, and the supplied ATT&CK fields do not include tactics, relationships, or an official detection procedure. The strongest decision value comes from using the description as a coverage checklist for macOS endpoint integrity: TCC.db modification, trusted-parent elevated execution, launchctl environment override, and SIP disabled state.

No official detection text, tactics, aliases, labels, or relationship context were supplied. This take does not assert active exploitation, attribution, prevalence, impact, or guaranteed detectability. Local macOS fleet configuration, MDM/EDR capabilities, approved administrative workflows, and logging depth are required to determine practical coverage and severity.

Official MITRE ATT&CK definition

Analytic 1474

Unauthorized modification of TCC.db followed by elevated process execution under a trusted parent (e.g., Finder, SystemUIServer) or via launchctl environment override. Also includes identification of SIP being disabled, which is highly uncommon and a prerequisite for this abuse path.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ab18213b03ab036a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ab18213b03ab…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1474
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use