2024-11-22 13:03:25 -05:00
|
|
|
---
|
|
|
|
|
Name: Cipher.exe
|
2024-11-22 13:25:50 -05:00
|
|
|
Description: Windows binary can be used to overwrite deleted data in Windows directory and volume
|
2024-11-22 13:12:25 -05:00
|
|
|
Author: Adetutu Ogunsowo
|
2024-11-22 13:03:25 -05:00
|
|
|
Created: 2024-11-22 # YYYY-MM-DD (date the person created this file)
|
|
|
|
|
Commands:
|
|
|
|
|
- Command: cipher /w:<directory>
|
|
|
|
|
Description: Causes all deallocated space on <idrectory> to be overwritten
|
|
|
|
|
Usecase: Attacker wants to permanently delete their artefacts, evidence, logs etc. and cannot be retrived by forensics means
|
|
|
|
|
Category: Encode
|
|
|
|
|
Privileges: User
|
2024-11-22 13:25:50 -05:00
|
|
|
MitreID: T1485.001
|
2024-11-22 13:03:25 -05:00
|
|
|
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
|
|
|
|
Full_Path:
|
|
|
|
|
- Path: c:\windows\system32\cipher.exe
|
|
|
|
|
- Path: c:\windows\syswow64\cipher.exe
|
|
|
|
|
Detection:
|
|
|
|
|
- IOC: cipher.exe spawned
|
|
|
|
|
Resources:
|
|
|
|
|
- Link: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
|
|
|
|
|
Acknowledgement:
|
|
|
|
|
- Person: Ade Ogunsowo
|
|
|
|
|
Handle: '@i_am_tutu'
|
