Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Deletion of data on multiple drives using cipher exe

Deletion of data on multiple drives using cipher exe

Back
Id03caa992-477f-4b19-8e2a-8cd58f8f9652
RulenameDeletion of data on multiple drives using cipher exe
DescriptionThis query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
SeverityMedium
TacticsImpact
TechniquesT1485
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml
Version1.0.0
Arm template03caa992-477f-4b19-8e2a-8cd58f8f9652.json
Deploy To Azure
// Look for cipher.exe deleting data from multiple drives
DeviceProcessEvents
| where FileName =~ "cipher.exe" 
// cipher.exe /w flag used for deleting data 
| where ProcessCommandLine has "/w" 
| summarize CipherCount = dcount(ProcessCommandLine), CipherList = make_set(ProcessCommandLine, 1000) by DeviceId, DeviceName, bin(TimeGenerated, 1m) 
// cipher.exe accessing multiple drives in a short timeframe  
| where CipherCount > 1
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

version: 1.0.0
kind: Scheduled
severity: Medium
tactics:
- Impact
status: Available
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  entityType: Host
query: |
  // Look for cipher.exe deleting data from multiple drives
  DeviceProcessEvents
  | where FileName =~ "cipher.exe" 
  // cipher.exe /w flag used for deleting data 
  | where ProcessCommandLine has "/w" 
  | summarize CipherCount = dcount(ProcessCommandLine), CipherList = make_set(ProcessCommandLine, 1000) by DeviceId, DeviceName, bin(TimeGenerated, 1m) 
  // cipher.exe accessing multiple drives in a short timeframe  
  | where CipherCount > 1
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
triggerOperator: gt
id: 03caa992-477f-4b19-8e2a-8cd58f8f9652
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
relevantTechniques:
- T1485
name: Deletion of data on multiple drives using cipher exe
queryFrequency: 1h
description: |
    This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml