Deleted Data Overwritten Via Cipher.EXE
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
Sigma rule (View on GitHub)
1title: Deleted Data Overwritten Via Cipher.EXE
2id: 4b046706-5789-4673-b111-66f25fe99534
3status: test
4description: |
5 Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
6 Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
7 Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
10author: frack113
11date: 2021/12/26
12modified: 2023/02/21
13tags:
14 - attack.impact
15 - attack.t1485
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - OriginalFileName: 'CIPHER.EXE'
22 - Image|endswith: '\cipher.exe'
23 selection_cli:
24 CommandLine|contains: ' /w:'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Potential File Overwrite Via Sysinternals SDelete
- Renamed Sysinternals Sdelete Execution
- DD File Overwrite
- AWS EFS Fileshare Mount Modified or Deleted
- AWS EKS Cluster Created or Deleted