Time Machine Backup Disabled Via Tmutil - MacOS

Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.

Sigma rule (View on GitHub)

 1title: Time Machine Backup Disabled Via Tmutil - MacOS
 2id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
 3status: experimental
 4description: |
 5    Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
 6    An attacker can use this to prevent backups from occurring.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
 9    - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024-05-29
12tags:
13    - attack.impact
14    - attack.t1490
15logsource:
16    category: process_creation
17    product: macos
18detection:
19    selection_img:
20        - Image|endswith: '/tmutil'
21        - CommandLine|contains: 'tmutil'
22    selection_cmd:
23        CommandLine|contains: 'disable'
24    condition: all of selection_*
25falsepositives:
26    - Legitimate administrator activity
27level: medium

References

Related rules

to-top