Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0534: TCC Database Manipulation via Launchctl and Unprotected SIP

This detection strategy matters because it points to a macOS privacy-control abuse path: manipulation of the Transparency, Consent, & Control (TCC) databas...

EnterpriseDET0534Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it points to a macOS privacy-control abuse path: manipulation of the Transparency, Consent, & Control (TCC) database to grant elevated access to sensitive services or data. For leaders, the practical issue is not just endpoint malware detection; it is whether the organization can prove that macOS privacy permissions, Full Disk Access-style grants, and related privilege-escalation signals are monitored well enough to support incident response and audit decisions.

Executive priority

Treat this as a macOS privilege-escalation and sensitive-data-access readiness question. Security leaders should ask whether managed detection, endpoint logging, and IR playbooks can identify suspicious changes to TCC-related permissions, especially where business users handle regulated data, executive communications, screen sharing, camera, microphone, or other protected resources. Because the supplied ATT&CK object has no official detection text, priority should be on validating evidence collection and response procedures rather than assuming coverage exists.

Technical view

DET0534 is a detection strategy for T1548.006, TCC Manipulation, in the enterprise ATT&CK domain. The related technique is mapped to privilege escalation on macOS and describes adversaries manipulating or abusing the TCC service or database to grant malicious executables elevated permissions. SOC and detection engineering teams should validate whether they can observe TCC database or permission changes, activity involving macOS privacy-protected services, and suspicious use of launchctl where relevant to the strategy name. IR teams should be prepared to review whether unexpected executables received access to protected data or services and whether macOS privacy controls were altered outside normal administrative workflows.

Likely telemetry

  • macOS endpoint telemetry related to TCC permission changes
  • File or database change evidence for TCC-related stores where available
  • Process execution telemetry involving launchctl
  • Signals from the TCC daemon or macOS privacy/security logging where collected
  • Endpoint management or configuration evidence for SIP and privacy-control posture

Detection direction

  • Confirm that macOS telemetry is collected from systems where TCC-protected resources create business risk; the detection strategy object itself does not specify platforms, but the related technique is macOS.
  • Baseline legitimate administrative, MDM, and application-driven privacy permission changes to reduce false positives.
  • Review suspicious combinations of TCC permission changes, launchctl activity, and newly granted access to sensitive services or data.
  • Validate whether endpoint tools preserve enough context to identify the executable, user, timestamp, protected service, and source of the permission change.
  • Treat absence of official ATT&CK detection guidance as a coverage gap requiring local test validation rather than as evidence that existing alerts are sufficient.

Mitigation priorities

  • Establish and document expected macOS privacy-control baselines for high-risk user groups and systems.
  • Use endpoint management and security configuration controls to maintain approved privacy permissions and system integrity posture where applicable.
  • Restrict and monitor administrative workflows capable of altering protected macOS privacy settings.
  • Include TCC permission review in macOS incident response triage and post-incident evidence collection.
  • Produce compliance-ready evidence showing how sensitive macOS permissions are governed, monitored, and reviewed.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description, tactics, platforms, or detection text. The strongest context comes from the relationship to T1548.006, TCC Manipulation, which is a macOS privilege-escalation technique. The strategy name references launchctl and unprotected SIP, so those should guide validation, but local telemetry and configuration evidence are required before making coverage claims.

This take is limited to the provided STIX fields, external reference, and relationship context. It does not assert active exploitation, actor attribution, customer exposure, guaranteed detection, or complete platform scope. Specific queries, vendor detections, and offensive procedures are intentionally omitted.

Official MITRE ATT&CK definition

TCC Database Manipulation via Launchctl and Unprotected SIP

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1548.006 TCC Manipulation Sub-technique This object detects TCC Manipulation.
Relationship explorer

All related ATT&CK context

detects · Technique T1548.006: TCC Manipulation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6823c2dccd2363af...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6823c2dccd23…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0534
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use