sqlite3
Created by Brendan Chamberlain (@infosecB)
Description
sqlite is a command-line utility that allows users to query and manage sqlite databases. Many components of macOS and apps used sqlite to store data. Attackers can leverage this tool to discover sensitive data.
| Created | Tactics | Tags |
|---|---|---|
| 2023-05-23 | Discovery Collection Credential Access | permissions oneliner cookie-theft |
Paths
/usr/bin/sqlite3
Use Cases
Get apps with Full Disk access
The following command interacts with the TCC (Transparency, Consent, and Control) database to show the apps that have Full Disk access permission
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"'
Get Firefox cookie data
The following one-liner can be used to kill Firefox and dump cookie data from the user’s Firefox profile.
killall firefox; find ~/Library/Application\ Support/Firefox/Profiles/. | grep cookies.sqlite | xargs -I {} sqlite3 {} "select * from moz_cookies"
View URL associated with file downloads
The following sqlite command is commonly used by macOS malware to view the URL in which the payload was downloaded from.
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
Detections
Elastic Detection Rules: Potential Privacy Control Bypass via TCCDB Modification
Splunk Security Content: Suspicious SQLite3 LSQuarantine Behavior