Cyber Defense w/ Daniel

Share this post

Cyber Defense w/ Daniel
Cyber Defense w/ Daniel
Living-off-the-Land: Exploring macOS LOOBins and Crafting Detection Rules - tmutil
Copy link
Facebook
Email
Notes
More

Living-off-the-Land: Exploring macOS LOOBins and Crafting Detection Rules - tmutil

Exploring lesser known Living-off-the-Orchard Binaries and creating Sigma rules for detection

Daniel Cortez
Apr 18, 2024

Share this post

Cyber Defense w/ Daniel
Cyber Defense w/ Daniel
Living-off-the-Land: Exploring macOS LOOBins and Crafting Detection Rules - tmutil
Copy link
Facebook
Email
Notes
More
Share

LOL Overview

For an overview of Living-off-the-Land/Living-off-the-Orchard, see my post here

tmutil

The ‘tmutil’ binary is used to manage the macOS native backup utility, Time Machine.

Except from LOOBins

Normal Usage

macOS Users can use Time Machine (or the command line tool ‘tmutil’) to capture and schedule system backups onto things like external USB or Thunderbolt drives, as well as restoring from a previously captured backup.

Misuse

The ‘tmutil’ binary can be used by an attacker to do things like: disable Time Machine, delete backups, and exclude certain paths from being backed up.

Example Commands

To view available usage options, run:

tmutil -h

It should return something like this (not all options are included in this screenshot):

System (Backup Config) Discovery

Before an attacker would start deleting backups and other “Impact” actions, they would most likely perform some “System Discovery” type commands to identify backup information. Some examples would be:

To identify the configured backup destination(s) - 

tmutil destinationinfo

To show the available backups - 

tmutil listbackups

To show the local snapshots (Time Machine will create “local snapshots” when the destination is unavailable, to be synced next time one is available) - 

tmutil listlocalsnapshots /mount_point

Impact

Once information about the backups are discovered, an attacker could begin using “Impact” techniques on the system.

To simply disable the Time Machine utility -

tmutil disable

To exclude a path from being backed up -

tmutil addexclusion /path/to/exclude

To delete available backups -

tmutil delete /path/to/backup

To delete available local snapshots -

tmutil deletelocalsnapshots /mount_point

Detection Opportunities

There were previously no existing Sigma Rules to detect this behavior with the ‘tmutil’ binary. To help out with this, I went ahead and crafted 2 different Sigma Rules to contribute to the Master Repository. Note: My contributions are currently pending - I’ll update this post with the final link. Here are the draft detection rules:

System (Backup Config) Discovery

title: Potential Time Machine Utility System Discovery
id: 7ee7a612-2e10-4696-8c8e-042af41e24ce
status: experimental
description: Detects execution of the LOOBin tmutil to idenfity backup information
references:
    - https://www.loobins.io/binaries/tmutil/
    - https://github.molgen.mpg.de/pages/bs/macOSnotes/mac/mac_files_tmutil.html
author: Daniel Cortez
date: 2024/04/16
tags:
    - attack.discovery
    - attack.impact
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/tmutil'
        CommandLine|contains:
            - 'destinationinfo'
            - 'listbackups'
            - 'listlocalsnapshots'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

This rule is looking for:

  1. Process Creation events

  2. on macOS

  3. Using the ‘tmutil’ binary

  4. With either ‘destinationinfo’, ‘listbackups’, or ‘listlocalsnapshots’ options in the command line

Since it is possible that these activities could be carried out legitimately by a User/Administrator, that is noted under the false positives section.

Impact

title: Potential Time Machine Utility Impact Backups
id: 4907f471-1883-4729-ab97-e724a1440baf
status: experimental
description: Detects execution of the LOOBin tmutil to impact backups
references:
    - https://www.loobins.io/binaries/tmutil/
    - https://theevilbit.github.io/posts/cve_2020_9771/
author: Daniel Cortez
date: 2024/04/15
tags:
    - attack.defense_evasion
    - attack.impact
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/tmutil'
        CommandLine|contains:
            - 'disable'
            - 'addexclusion'
            - 'delete'
            - 'deletelocalsnapshots'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

This rule is looking for:

  1. Process Creation events

  2. on macOS

  3. Using the ‘tmutil’ binary

  4. With either ‘disable’, ‘addexclusion’, ‘delete’, or ‘deletelocalsnapshots’ options in the command line

Same as the previous rule, a false positive is possible since these activities could be carried out legitimately by a User/Administrator.

Thanks for reading Cyber Defense w/ Daniel! Subscribe for free to receive new posts and support my work.

Share this post

Cyber Defense w/ Daniel
Cyber Defense w/ Daniel
Living-off-the-Land: Exploring macOS LOOBins and Crafting Detection Rules - tmutil
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Daniel Cortez
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More