sqlite3 #

Created by Brendan Chamberlain (@infosecB)

Description ##

sqlite is a command-line utility that allows users to query and manage sqlite databases. Many components of macOS and apps used sqlite to store data. Attackers can leverage this tool to discover sensitive data.

Paths ##

• /usr/bin/sqlite3

Use Cases ##

Get apps with Full Disk access ##

The following command interacts with the TCC (Transparency, Consent, and Control) database to show the apps that have Full Disk access permission

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"'

Get Firefox cookie data ##

The following one-liner can be used to kill Firefox and dump cookie data from the user’s Firefox profile.

killall firefox; find ~/Library/Application\ Support/Firefox/Profiles/. | grep cookies.sqlite | xargs -I {} sqlite3 {} "select * from moz_cookies"

View URL associated with file downloads ##

The following sqlite command is commonly used by macOS malware to view the URL in which the payload was downloaded from.

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'

Detections ##

• Elastic Detection Rules: Potential Privacy Control Bypass via TCCDB Modification

• Splunk Security Content: Suspicious SQLite3 LSQuarantine Behavior

• Jamf Protect: Detect SQLite3 activity used to associated URLs with downloaded files

Resources ##

• TCC.db Modifier Script

• Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight