New File Exclusion Added To Time Machine Via Tmutil - MacOS

Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

Sigma rule (View on GitHub)

 1title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
 2id: 9acf45ed-3a26-4062-bf08-56857613eb52
 3status: experimental
 4description: |
 5    Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
 6    An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
 9    - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024-05-29
12tags:
13    - attack.impact
14    - attack.t1490
15logsource:
16    category: process_creation
17    product: macos
18detection:
19    selection_img:
20        - Image|endswith: '/tmutil'
21        - CommandLine|contains: 'tmutil'
22    selection_cmd:
23        CommandLine|contains: 'addexclusion'
24    condition: all of selection_*
25falsepositives:
26    - Legitimate administrator activity
27level: medium

References

Related rules

to-top