Elastic Security Detection Rules

Suspicious TCC Access Granted for User Folders

Last updated 8 days ago on 2026-02-03
Created 12 days ago on 2026-01-30

About

Detects when TCC access is granted for multiple user folders like Desktop, Downloads and Documents in quick succession. Many information stealers require TCC permissions to access these locations and will prompt users to grant access for data exfiltration.
Tags
Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Defense EvasionTactic: CollectionData Source: Elastic DefendLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

Collection (TA0009)(external, opens in a new tab or window)

Data from Local System (T1005)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
FROM logs-endpoint.events.*
| WHERE host.os.type == "macos" 
    AND event.action == "tcc_modify" 
    AND Tcc.right == "allowed"
    AND Tcc.update_type == "create"
    AND Tcc.service IN ("SystemPolicyDocumentsFolder", "SystemPolicyDownloadsFolder", "SystemPolicyDesktopFolder")
    AND Effective_process.name RLIKE "(bash|zsh|sh|osascript|python.*|perl.*|ruby.*|node|Terminal|iTerm2|ghostty)"
| STATS 
    Esql.grant_count = COUNT(*),
    Esql.unique_folders = COUNT_DISTINCT(Tcc.service),  
    Esql.folders = VALUES(Tcc.service)
  BY Effective_process.entity_id, Effective_process.executable, host.name, user.name
| WHERE Esql.unique_folders >= 2
| KEEP Esql.*, Effective_process.entity_id, Effective_process.executable, host.name, user.name

Install detection rules in Elastic Security

Detect Suspicious TCC Access Granted for User Folders in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).