New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
Sigma rule (View on GitHub)
1title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
2id: 9acf45ed-3a26-4062-bf08-56857613eb52
3status: experimental
4description: |
5 Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
6 An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
9 - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024-05-29
12tags:
13 - attack.impact
14 - attack.t1490
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection_img:
20 - Image|endswith: '/tmutil'
21 - CommandLine|contains: 'tmutil'
22 selection_cmd:
23 CommandLine|contains: 'addexclusion'
24 condition: all of selection_*
25falsepositives:
26 - Legitimate administrator activity
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- All Backups Deleted Via Wbadmin.EXE
- Backup Files Deleted
- Boot Configuration Tampering Via Bcdedit.EXE
- Cisco Modify Configuration
- Copy From VolumeShadowCopy Via Cmd.EXE