Adversaries may be using a cipher tool to delete data as part of a ransomware attack, indicating potential data exfiltration or preparation for encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware activity before data is encrypted or lost.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "cipher.exe"
// Looking for /w flag for deleting
| where ProcessCommandLine has "/w"
| summarize CommandCount = dcount(ProcessCommandLine),
make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// Looking for multiple drives in a short timeframe
| where CommandCount > 1
id: ccf00363-6636-4748-9df5-a22f6cb977bd
name: deleting-data-w-cipher-tool
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
The following query detects the use of the tool cipher.exe to delete indicators of malicious activity right before encrypting a drive.
The See also section below lists more queries related to techniques shared by these campaigns.
Reference - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense evasion
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "cipher.exe"
// Looking for /w flag for deleting
| where ProcessCommandLine has "/w"
| summarize CommandCount = dcount(ProcessCommandLine),
make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// Looking for multiple drives in a short timeframe
| where CommandCount > 1
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Using Cipher.exe
Description: A system administrator is performing a disk cleanup or defragmentation task using the built-in Windows tool cipher.exe to optimize disk space or repair file system errors.
Filter/Exclusion: Check for process.name = "cipher.exe" and process.parent.name = "Windows Explorer" or task scheduler context. Exclude processes initiated by known admin tools or scheduled tasks.
Scenario: Scheduled Job for Data Archival
Description: A scheduled job is running to archive old data to a remote storage location using a script that temporarily encrypts files with a tool like openssl or gpg for secure transfer.
Filter/Exclusion: Filter by process.name = "openssl" or process.name = "gpg" and check for presence of a known archival script or job name in the task scheduler.
Scenario: Encryption for Compliance Purposes
Description: A compliance team is encrypting sensitive data using a tool like VeraCrypt or BitLocker to meet regulatory requirements.
Filter/Exclusion: Check for process.name = "VeraCrypt.exe" or process.name = "BitLocker" and verify if the operation is part of a known compliance process or policy.
Scenario: User-Initiated File Encryption for Backup
Description: A user is encrypting files using a personal encryption tool like 7-Zip or Veracrypt before backing up to an external drive.
Filter/Exclusion: Filter by process.name = "7-Zip.exe" or process.name = "Veracrypt.exe" and check for user-initiated actions or presence of a backup script.
Scenario: Antivirus or Endpoint Protection Scanning
Description: An endpoint protection tool like Windows Defender or `