Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
Sigma rule (View on GitHub)
1title: Time Machine Backup Disabled Via Tmutil - MacOS
2id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
3status: experimental
4description: |
5 Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
6 An attacker can use this to prevent backups from occurring.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
9 - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024/05/29
12tags:
13 - attack.impact
14 - attack.t1490
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection_img:
20 - Image|endswith: '/tmutil'
21 - CommandLine|contains: 'tmutil'
22 selection_cmd:
23 CommandLine|contains: 'disable'
24 condition: all of selection_*
25falsepositives:
26 - Legitimate administrator activity
27level: medium
References
Related rules
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Delete Volume Shadow Copies Via WMI With PowerShell
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Deletion of Volume Shadow Copies via WMI with PowerShell