Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
Sigma rule (View on GitHub)
1title: Time Machine Backup Disabled Via Tmutil - MacOS
2id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
3status: test
4description: |
5 Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
6 An attacker can use this to prevent backups from occurring.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
9 - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024-05-29
12tags:
13 - attack.impact
14 - attack.t1490
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection_img:
20 - Image|endswith: '/tmutil'
21 - CommandLine|contains: 'tmutil'
22 selection_cmd:
23 CommandLine|contains: 'disable'
24 condition: all of selection_*
25falsepositives:
26 - Legitimate administrator activity
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- File Recovery From Backup Via Wbadmin.EXE
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Backup Files Deleted
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load