Deleted Data Overwritten Via Cipher.EXE

 1title: Deleted Data Overwritten Via Cipher.EXE
 2id: 4b046706-5789-4673-b111-66f25fe99534
 3status: test
 4description: |
 5    Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
 6    Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
 7    Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
10author: frack113
11date: 2021-12-26
12modified: 2023-02-21
13tags:
14    - attack.impact
15    - attack.t1485
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - OriginalFileName: 'CIPHER.EXE'
22        - Image|endswith: '\cipher.exe'
23    selection_cli:
24        CommandLine|contains: ' /w:'
25    condition: all of selection_*
26falsepositives:
27    - Unknown
28level: medium
29regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
30simulation:
31    - type: atomic-red-team
32      name: Overwrite deleted data on C drive
33      technique: T1485
34      atomic_guid: 321fd25e-0007-417f-adec-33232252be19