tmutil
A tool for managing Time Machine, the native macOS backup utility.
Author: Brendan Chamberlain (@infosecB) Created: 2023-05-01
Paths
/usr/bin/tmutil Example Use Cases
Disable Time Machine
The following command disables Time Machine. An attacker can use this to prevent backups from occurring.
tmutil disableDelete a backup
The following command deletes the specified backup. An adversary may perform this action before launching a ransomware attack to prevent the victim from restoring their files.
tmutil delete /path/to/backupRestore a backup
The following command restore the specified backup. An attacker can use this to restore a backup of a sensitive file that was deleted.
tmutil restore /path/to/backupTamper with system logs
An adversary can use the snapshot and restore commands together to tamper with system logs. This is fixed in macOS 10.15.4+.
mkdir /tmp/snapshot
tmutil localsnapshot
tmutil listlocalsnapshots /
mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-01-090000.local /System/Volumes/Data /tmp/snapshot
open /tmp/snapshot
sudo vim /var/log/system.log
tmutil restore com.apple.TimeMachine.2023-05-01-090000.localExclude path from backup
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
tmutil addexclusion /path/to/exclude