Added a new rule to detect tampering with Time Machine, Apple's automated backup utility software. Attackers can use this to prevent backups from occurring and hinder the victim's ability to recover from any damage.
Changelog
new: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
new: Time Machine Backup Disabled Via Tmutil - MacOS
new: New File Exclusion Added To Time Machine Via Tmutil - MacOS
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
Added a new rule to detect tampering with Time Machine, Apple's automated backup utility software. Attackers can use this to prevent backups from occurring and hinder the victim's ability to recover from any damage.
Changelog
new: Time Machine Backup Deletion Attempt Via Tmutil - MacOS new: Time Machine Backup Disabled Via Tmutil - MacOS new: New File Exclusion Added To Time Machine Via Tmutil - MacOS
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions