New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
Sigma rule (View on GitHub)
1title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
2id: 9acf45ed-3a26-4062-bf08-56857613eb52
3status: experimental
4description: |
5 Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
6 An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
9 - https://www.loobins.io/binaries/tmutil/
10author: Pratinav Chandra
11date: 2024/05/29
12tags:
13 - attack.impact
14 - attack.t1490
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection_img:
20 - Image|endswith: '/tmutil'
21 - CommandLine|contains: 'tmutil'
22 selection_cmd:
23 CommandLine|contains: 'addexclusion'
24 condition: all of selection_*
25falsepositives:
26 - Legitimate administrator activity
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Time Machine Backup Disabled Via Tmutil - MacOS
- Delete Volume Shadow Copies Via WMI With PowerShell
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Deletion of Volume Shadow Copies via WMI with PowerShell