KQL Search

Query Details

HomeAI ToolsDevice Query

S Qlite3tcc

Query

Tags:

Query:
DeviceProcessEvents
| where FileName contains "sqlite" and ProcessCommandLine contains "com.apple.TCC/TCC.db"

Reference:
https://www.loobins.io/binaries/sqlite3/
https://github.com/elastic/detection-rules/blob/e9baebc2bc18f90ae16501613cd9521a16a38ad7/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Explanation

This query is searching through device process events to find instances where:

  1. The file name includes the term "sqlite".
  2. The command line used to run the process includes the path "com.apple.TCC/TCC.db".

In simple terms, it's looking for processes that involve SQLite and are interacting with the TCC database on macOS, which is related to privacy controls. The provided references give more context on the use of SQLite in this scenario and the specific detection rules for such activities.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 28, 2023

Tables

DeviceProcessEvents

Keywords

Devices

Operators

DeviceProcessEvents|wherecontainsand

Actions