This detection rule is focused on identifying attempts to delete MacOS Time Machine backups using the built-in utility 'tmutil'. The utility 'tmutil' is commonly employed for managing Time Machine backups, and its usage can indicate potentially malicious activities when coupled with specific commands. Adversaries may aim to delete backups prior to executing ransomware to ensure their victims cannot recover encrypted files. Hence, the detection centers around monitoring process creations that involve 'tmutil' and its command line indicating a deletion action. Alerts will be triggered if multiple conditions regarding the use of 'tmutil' are met, enhancing the rule's resilience to false positives from legitimate operations. This rule also includes sources that provide further insights into the potential methods attackers employ to disable Time Machine functionality and the implications of such actions.