Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Deletion of data on multiple drives using cipher exe

Back
Id03caa992-477f-4b19-8e2a-8cd58f8f9652
RulenameDeletion of data on multiple drives using cipher exe
DescriptionThis query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
SeverityMedium
TacticsImpact
TechniquesT1485
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml
Version1.0.0
Arm template03caa992-477f-4b19-8e2a-8cd58f8f9652.json
Deploy To Azure
// Look for cipher.exe deleting data from multiple drives
DeviceProcessEvents
| where FileName =~ "cipher.exe" 
// cipher.exe /w flag used for deleting data 
| where ProcessCommandLine has "/w" 
| summarize CipherCount = dcount(ProcessCommandLine), CipherList = make_set(ProcessCommandLine, 1000) by DeviceId, DeviceName, bin(TimeGenerated, 1m) 
// cipher.exe accessing multiple drives in a short timeframe  
| where CipherCount > 1
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: Deletion of data on multiple drives using cipher exe
version: 1.0.0
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1485
status: Available
description: |
    This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
tactics:
- Impact
queryPeriod: 1h
query: |
  // Look for cipher.exe deleting data from multiple drives
  DeviceProcessEvents
  | where FileName =~ "cipher.exe" 
  // cipher.exe /w flag used for deleting data 
  | where ProcessCommandLine has "/w" 
  | summarize CipherCount = dcount(ProcessCommandLine), CipherList = make_set(ProcessCommandLine, 1000) by DeviceId, DeviceName, bin(TimeGenerated, 1m) 
  // cipher.exe accessing multiple drives in a short timeframe  
  | where CipherCount > 1
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
kind: Scheduled
triggerThreshold: 0
id: 03caa992-477f-4b19-8e2a-8cd58f8f9652
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/03caa992-477f-4b19-8e2a-8cd58f8f9652')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/03caa992-477f-4b19-8e2a-8cd58f8f9652')]",
      "properties": {
        "alertRuleTemplateName": "03caa992-477f-4b19-8e2a-8cd58f8f9652",
        "customDetails": null,
        "description": "This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.\n",
        "displayName": "Deletion of data on multiple drives using cipher exe",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml",
        "query": "// Look for cipher.exe deleting data from multiple drives\nDeviceProcessEvents\n| where FileName =~ \"cipher.exe\" \n// cipher.exe /w flag used for deleting data \n| where ProcessCommandLine has \"/w\" \n| summarize CipherCount = dcount(ProcessCommandLine), CipherList = make_set(ProcessCommandLine, 1000) by DeviceId, DeviceName, bin(TimeGenerated, 1m) \n// cipher.exe accessing multiple drives in a short timeframe  \n| where CipherCount > 1\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}