Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
Sigma rule (View on GitHub)
1title: Time Machine Backup Disabled Via Tmutil - MacOS
2id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
3status: experimental
4description: |
5 Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
6 An attacker can use this to prevent backups from occurring.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
9 - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024-05-29
12tags:
13 - attack.impact
14 - attack.t1490
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection_img:
20 - Image|endswith: '/tmutil'
21 - CommandLine|contains: 'tmutil'
22 selection_cmd:
23 CommandLine|contains: 'disable'
24 condition: all of selection_*
25falsepositives:
26 - Legitimate administrator activity
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Backup Files Deleted
- Boot Configuration Tampering Via Bcdedit.EXE
- Cisco Modify Configuration
- Copy From VolumeShadowCopy Via Cmd.EXE