Time Machine Backup Deletion Attempt Via Tmutil - MacOS
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
Sigma rule (View on GitHub)
1title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
2id: 452df256-da78-427a-866f-49fa04417d74
3status: experimental
4description: |
5 Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
6 An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
9 - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024/05/29
12tags:
13 - attack.impact
14 - attack.t1490
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection_img:
20 - Image|endswith: '/tmutil'
21 - CommandLine|contains: 'tmutil'
22 selection_cmd:
23 CommandLine|contains: 'delete'
24 condition: all of selection_*
25falsepositives:
26 - Legitimate activities
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- Time Machine Backup Disabled Via Tmutil - MacOS
- Delete Volume Shadow Copies Via WMI With PowerShell
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Deletion of Volume Shadow Copies via WMI with PowerShell