Detection rules › Kusto Query Language
Deletion of data on multiple drives using cipher exe
This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | 9001000 | Process activity (any) |
Stages and Predicates
Stage 1: source
DeviceProcessEvents
Stage 2: where
FileName eq "cipher.exe"
Stage 3: where
ProcessCommandLine match "/w"
Stage 4: summarize
Stage 5: where
CipherCount gt "1"
Stage 6: extend
Stage 7: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CipherCount | gt |
|
FileName | eq |
|
ProcessCommandLine | match |
|