Sigma rules for cipher.exe
1 rules · scoped to tool · back to cipher.exe
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Deleted Data Overwritten Via Cipher.EXE
id: 4b046706-5789-4673-b111-66f25fe99534
status: test
description: |
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
author: frack113
date: 2021-12-26
modified: 2023-02-21
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'CIPHER.EXE'
- Image|endswith: '\cipher.exe'
selection_cli:
CommandLine|contains: ' /w:'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
simulation:
- type: atomic-red-team
name: Overwrite deleted data on C drive
technique: T1485
atomic_guid: 321fd25e-0007-417f-adec-33232252be19