Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Deletion of data on multiple drives using cipher exe

Deletion of data on multiple drives using cipher exe

Back
Id03caa992-477f-4b19-8e2a-8cd58f8f9652
RulenameDeletion of data on multiple drives using cipher exe
DescriptionThis query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
SeverityMedium
TacticsImpact
TechniquesT1485
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml
Version1.0.0
Arm template03caa992-477f-4b19-8e2a-8cd58f8f9652.json
Deploy To Azure
// Look for cipher.exe deleting data from multiple drives
DeviceProcessEvents
| where FileName =~ "cipher.exe" 
// cipher.exe /w flag used for deleting data 
| where ProcessCommandLine has "/w" 
| summarize CipherCount = dcount(ProcessCommandLine), CipherList = make_set(ProcessCommandLine, 1000) by DeviceId, DeviceName, bin(TimeGenerated, 1m) 
// cipher.exe accessing multiple drives in a short timeframe  
| where CipherCount > 1
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

description: |
    This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
kind: Scheduled
tactics:
- Impact
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml
severity: Medium
name: Deletion of data on multiple drives using cipher exe
triggerThreshold: 0
queryPeriod: 1h
query: |
  // Look for cipher.exe deleting data from multiple drives
  DeviceProcessEvents
  | where FileName =~ "cipher.exe" 
  // cipher.exe /w flag used for deleting data 
  | where ProcessCommandLine has "/w" 
  | summarize CipherCount = dcount(ProcessCommandLine), CipherList = make_set(ProcessCommandLine, 1000) by DeviceId, DeviceName, bin(TimeGenerated, 1m) 
  // cipher.exe accessing multiple drives in a short timeframe  
  | where CipherCount > 1
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
relevantTechniques:
- T1485
id: 03caa992-477f-4b19-8e2a-8cd58f8f9652
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain