Time Machine Backup Deletion Attempt Via Tmutil - MacOS

Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.

Sigma rule (View on GitHub)

 1title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
 2id: 452df256-da78-427a-866f-49fa04417d74
 3status: experimental
 4description: |
 5    Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
 6    An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
 9    - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024-05-29
12tags:
13    - attack.impact
14    - attack.t1490
15logsource:
16    category: process_creation
17    product: macos
18detection:
19    selection_img:
20        - Image|endswith: '/tmutil'
21        - CommandLine|contains: 'tmutil'
22    selection_cmd:
23        CommandLine|contains: 'delete'
24    condition: all of selection_*
25falsepositives:
26    - Legitimate activities
27level: medium

References

Related rules

to-top