From 69ba15412b34fcd921760f8e9c5d089837366228 Mon Sep 17 00:00:00 2001
From: iamtutu <adetutuogunsowo@gmail.com>
Date: Fri, 22 Nov 2024 13:03:25 -0500
Subject: [PATCH] Cipher added

---
 yml/OSBinaries/cipher.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 yml/OSBinaries/cipher.yml

diff --git a/yml/OSBinaries/cipher.yml b/yml/OSBinaries/cipher.yml
new file mode 100644
index 0000000..aaeefe1
--- /dev/null
+++ b/yml/OSBinaries/cipher.yml
@@ -0,0 +1,28 @@
+---
+Name: Cipher.exe
+Description: Windows binary can be used to overwrite deleted data in Windows direoctry and volume
+Aliases:  # Optional field if any common aliases exist of the binary with nearly the same functionality,
+  - Alias:
+Author: Adetutu Ogunsowo 
+Created: 2024-11-22 # YYYY-MM-DD (date the person created this file)
+Commands:
+  - Command: cipher /w:<directory> 
+    Description: Causes all deallocated space on <idrectory> to be overwritten
+    Usecase: Attacker wants to permanently delete their artefacts, evidence, logs etc. and cannot be retrived by forensics means
+    Category: Encode
+    Privileges: User
+    MitreID:  T1485.001
+    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\cipher.exe
+  - Path: c:\windows\syswow64\cipher.exe
+Code_Sample:
+  - Code: 
+Detection:
+  - IOC: Event ID 10
+  - IOC: cipher.exe spawned
+Resources:
+  - Link: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
+Acknowledgement:
+  - Person: Ade Ogunsowo
+    Handle: '@i_am_tutu'
\ No newline at end of file