Add Sigma rules and references to tmutil.yml (#208)

* Add Sigma rules and references to tmutil.yml * Add quotes to resources tmutil.yml
infosecB · Aug 31, 2024 · 1df5ff7 · 1df5ff7
1 parent 7cc0887
commit 1df5ff7
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/LOOBins/tmutil.yml b/LOOBins/tmutil.yml
@@ -57,6 +57,16 @@ paths:
 detections:
 - name: "Jamf Protect: Detect the deletion of localsnapshots"
   url: https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/tmutil_activity
+- name: "Sigma: Time Machine Backup Deletion Attempt Via Tmutil - MacOS"
+  url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml
+- name: "Sigma: Time Machine Backup Disabled Via Tmutil - MacOS"
+  url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml
+- name: "Sigma: New File Exclusion Added To Time Machine Via Tmutil - MacOS"
+  url: https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml
 resources:
 - name: mount_apfs TCC bypass and privilege escalation
   url: https://theevilbit.github.io/posts/cve_2020_9771/
+- name: "Manage Time Machine backups"
+  url: https://github.molgen.mpg.de/pages/bs/macOSnotes/mac/mac_files_tmutil.html
+- name: "Living-off-the-Land: Exploring macOS LOOBins and Crafting Detection Rules - tmutil"
+  url: https://danielcortez.substack.com/p/living-off-the-land-exploring-macos-0fd