tmutil

Created by Brendan Chamberlain (@infosecb)

Description

A tool for managing Time Machine, the native macOS backup utility.

CreatedTacticsTags
2023-05-01Impact Collection Privilege Escalation Defense Evasionbackup delete restore unprivileged

Paths

  • /usr/bin/tmutil

Use Cases

Disable Time Machine

The following command disables Time Machine. An attacker can use this to prevent backups from occurring.

tmutil disable

Delete a backup

The following command deletes the specified backup. An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.

tmutil delete /path/to/backup

Restore a backup

The following command restore the specified backup. An attacker can use this to restore a backup of a sensitive file that was deleted.

tmutil restore /path/to/backup

Tamper with system logs

An adversary can use the snapshot and restore commands together to tamper with system logs. This is fixed in macOS 10.15.4+.

mkdir /tmp/snapshot
tmutil localsnapshot
tmutil listlocalsnapshots /
mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-01-090000.local /System/Volumes/Data /tmp/snapshot
open /tmp/snapshot
sudo vim /var/log/system.log
tmutil restore com.apple.TimeMachine.2023-05-01-090000.local

Exclude path from backup

An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

tmutil addexclusion /path/to/exclude

Detections

Resources