From f8b06c611f4cf1da1cb02b46c1f80e7bd03c4c26 Mon Sep 17 00:00:00 2001
From: iamtutu <adetutuogunsowo@gmail.com>
Date: Sat, 26 Apr 2025 15:42:34 -0400
Subject: [PATCH] Added Cipher (#410)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Cipher.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 yml/OSBinaries/Cipher.yml

diff --git a/yml/OSBinaries/Cipher.yml b/yml/OSBinaries/Cipher.yml
new file mode 100644
index 0000000..d11f57e
--- /dev/null
+++ b/yml/OSBinaries/Cipher.yml
@@ -0,0 +1,23 @@
+---
+Name: Cipher.exe
+Description: File Encryption Utility
+Author: Adetutu Ogunsowo
+Created: 2024-11-22
+Commands:
+  - Command: cipher /w:{PATH_ABSOLUTE:folder}
+    Description: Zero out a file
+    Usecase: Can be used to forensically erase a file
+    Category: Tamper
+    Privileges: User
+    MitreID: T1485
+    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\cipher.exe
+  - Path: c:\windows\syswow64\cipher.exe
+Detection:
+  - IOC: cipher.exe process with /w on the command line
+Resources:
+  - Link: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
+Acknowledgement:
+  - Person: Ade Ogunsowo
+    Handle: "@i_am_tutu"