public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-15 00:01:18 +01:00
Code Issues Projects Releases Wiki Activity

Cipher added

Browse Source
This commit is contained in:
iamtutu 2024-11-22 13:03:25 -05:00 committed by GitHub
parent baaa5bbc73
commit 69ba15412b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
yml/OSBinaries/cipher.yml Normal file
View File

@ -0,0 +1,28 @@
---
Name: Cipher.exe
Description: Windows binary can be used to overwrite deleted data in Windows direoctry and volume
Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality,
- Alias:
Author: Adetutu Ogunsowo
Created: 2024-11-22 # YYYY-MM-DD (date the person created this file)
Commands:
- Command: cipher /w:<directory>
Description: Causes all deallocated space on <idrectory> to be overwritten
Usecase: Attacker wants to permanently delete their artefacts, evidence, logs etc. and cannot be retrived by forensics means
Category: Encode
Privileges: User
MitreID: T1485.001
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: c:\windows\system32\cipher.exe
- Path: c:\windows\syswow64\cipher.exe
Code_Sample:
- Code:
Detection:
- IOC: Event ID 10
- IOC: cipher.exe spawned
Resources:
- Link: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
Acknowledgement:
- Person: Ade Ogunsowo
Handle: '@i_am_tutu'