macOS Unauthorized Access · Persistence · Covert Monitoring

Mac Unauthorized Access Forensics

Independent forensic investigation of suspected unauthorized access to a Mac — covert monitoring software, persistence mechanisms, remote-access implants, and unexplained changes to system state.

← Canonical HubThis page is part of the Mac Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Mac Unauthorized Access Forensics answers “did someone else use, monitor, or compromise this Mac” by systematically reviewing every persistence surface (LaunchAgents, LaunchDaemons, login items, cron, at, periodic, kext, SystemExtensions), every privacy grant (TCC.db), every code-signing decision (syspolicy, XProtect, MRT), and every remote-access footprint — cross-referenced with a Mac forensic timeline.

Every persistence location we always check

MechanismLocationEvidence recorded
LaunchAgents (user)~/Library/LaunchAgents/*.plistPer-user auto-start; runs on login
LaunchAgents (system)/Library/LaunchAgents/*.plistAll-user auto-start
LaunchAgents (Apple)/System/Library/LaunchAgents/*.plistSystem-provided; changes here are highly suspect
LaunchDaemons (system)/Library/LaunchDaemons/*.plistRuns as root at boot
LaunchDaemons (Apple)/System/Library/LaunchDaemons/*.plistSystem-provided
Login Items~/Library/Application Support/com.apple.backgroundtaskmanagement/BackgroundItems.btmGUI login items and modern background tasks
cron/private/var/at/tabs/Per-user cron entries
at / periodic/private/var/at/, /etc/periodic/One-shot and periodic scripts
LoginHook / LogoutHookcom.apple.loginwindow.plistLegacy but still respected
SystemExtensions/Library/SystemExtensions/db.plistEndpoint Security / network / DriverKit extensions
Kernel extensions/Library/Extensions/, kmutil showloadedLegacy kexts (require reboot to load)
Configuration Profiles/Library/Managed Preferences/, profiles listMDM-pushed policy — covert monitoring vector
Sudoers/etc/sudoers, /etc/sudoers.d/Elevated command surface

TCC grants — the covert monitoring smoking gun

Nearly every credible covert-monitoring tool on modern macOS requires the target user to grant Screen Recording, Accessibility, Input Monitoring, or Full Disk Access in System Settings. Each grant is recorded in ~/Library/Application Support/com.apple.TCC/TCC.db (per-user) or /Library/Application Support/com.apple.TCC/TCC.db (system) with:

  • client — bundle ID of the granted app
  • service — kTCCServiceScreenCapture, kTCCServiceAccessibility, kTCCServiceListenEvent, etc.
  • allowed and prompt_count
  • last_modified — when the grant was made

An unexplained Screen Recording or Accessibility grant to an app the user does not recognize — especially one installed from outside the App Store — is a decisive indicator. We review every non-Apple TCC row in every matter of suspected covert monitoring.

Known monitoring / spouseware families we inventory

Without naming specific commercial tools on this public page, we systematically check for the persistence-file names, bundle IDs, launch-agent labels, and network endpoints publicly documented by security researchers and by Apple’s own XProtect and MRT (Malware Removal Tool) signature updates. Where present, we preserve the binaries and their configuration for chain-of-custody handoff to counsel or law enforcement.

Living-off-the-land on macOS

Attackers increasingly avoid custom binaries. In every intrusion matter we review execution of:

  • osascript — AppleScript invocations, often loaded with base64-encoded payloads
  • curl, python3, ruby — download-and-execute patterns
  • launchctl load — LaunchAgent registration events in com.apple.launchd
  • sqlite3 — reads of TCC.db or Safari History.db by non-Apple processes
  • xattr -c or xattr -d com.apple.quarantine — evasion of Gatekeeper
  • plutil / defaults write — silent modification of preferences and LaunchAgents

Ruling in vs ruling out

Many matters end defense-favorably: no unauthorized LaunchAgents outside Apple defaults, no non-Apple TCC grants of significance, no unknown SystemExtensions, no unexplained network connections in the Unified Log, no XProtect / MRT signatures triggered, and shell / KnowledgeC.db activity fully consistent with the account holder. In those cases the report enumerates the surfaces reviewed, the negatives found, and the confidence bound on the conclusion. See the Mac Forensics hub for the full framework.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.

Related Mac forensics pages

Frequently asked questions

Can you rule out unauthorized access conclusively?

Rarely in absolute terms, but we can express high-confidence findings when every persistence surface, TCC row, XProtect signature, and network artifact within the retention window is negative. Reports state confidence explicitly.

What if the attacker deleted their tools?

Deletion itself leaves records: LaunchAgent files were present in APFS snapshots, TCC grants persist even after the app is removed, Unified Log records the launchctl unload and the rm, and shell history captures the commands.

Are covert monitoring tools common on Mac?

They exist but are less prevalent than on Windows. Most credible tools require Screen Recording and Accessibility grants, which the target user (or someone at the keyboard with admin rights) had to approve — a fact that itself is investigatively important.

Ready to move on your mac unauthorized access matter?

Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Apple: XProtect and MRT. support.apple.com
  2. Objective-See: macOS malware collection. objective-see.org
  3. MITRE ATT&CK for macOS. attack.mitre.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#MacForensics #UnauthorizedAccess #Persistence #TCC #Spouseware #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
👋 Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime. 

IMPORTANT: Please remember to check your spam or junk folder