From f92708015b5f4ce1a19e493e7c64f4bad2761351 Mon Sep 17 00:00:00 2001 From: iamtutu Date: Fri, 22 Nov 2024 13:25:50 -0500 Subject: [PATCH] Cipher.YML updated --- yml/OSBinaries/{cipher.yml => Cipher.yml} | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) rename yml/OSBinaries/{cipher.yml => Cipher.yml} (87%) diff --git a/yml/OSBinaries/cipher.yml b/yml/OSBinaries/Cipher.yml similarity index 87% rename from yml/OSBinaries/cipher.yml rename to yml/OSBinaries/Cipher.yml index 20e4073..2158f9c 100644 --- a/yml/OSBinaries/cipher.yml +++ b/yml/OSBinaries/Cipher.yml @@ -1,6 +1,6 @@ --- Name: Cipher.exe -Description: Windows binary can be used to overwrite deleted data in Windows direoctry and volume +Description: Windows binary can be used to overwrite deleted data in Windows directory and volume Author: Adetutu Ogunsowo Created: 2024-11-22 # YYYY-MM-DD (date the person created this file) Commands: @@ -9,15 +9,12 @@ Commands: Usecase: Attacker wants to permanently delete their artefacts, evidence, logs etc. and cannot be retrived by forensics means Category: Encode Privileges: User - MitreID: T1485.001 + MitreID: T1485.001 OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\cipher.exe - Path: c:\windows\syswow64\cipher.exe -Code_Sample: - - Code: Detection: - - IOC: Event ID 10 - IOC: cipher.exe spawned Resources: - Link: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/