The hypothesis is that the use of cipher.exe across multiple drives indicates potential ransomware activity aimed at data deletion before encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware attacks before data is irreversibly lost.
KQL Query
// Look for cipher.exe deleting data from multiple drives
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "cipher.exe"
// cipher.exe /w flag used for deleting data
| where ProcessCommandLine has "/w"
| summarize CipherCount = dcount(ProcessCommandLine),
CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// cipher.exe accessing multiple drives in a short timeframe
| where CipherCount > 1
id: 65d15781-c7bf-447e-8c33-a2a94e727bf4
name: Deletion of data on multiple drives using cipher exe
description: |
This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
// Look for cipher.exe deleting data from multiple drives
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "cipher.exe"
// cipher.exe /w flag used for deleting data
| where ProcessCommandLine has "/w"
| summarize CipherCount = dcount(ProcessCommandLine),
CipherList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// cipher.exe accessing multiple drives in a short timeframe
| where CipherCount > 1
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs cipher.exe to clean up temporary files or perform disk maintenance across multiple drives.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with known maintenance names (e.g., “Disk Cleanup”, “System Maintenance”).
Scenario: Windows Disk Cleanup Tool
Description: The built-in Windows Disk Cleanup utility uses cipher.exe to remove unneeded files and free up disk space.
Filter/Exclusion: Exclude processes with the command line containing /f or /d flags commonly used in Disk Cleanup operations.
Scenario: Admin Task for Data Archival
Description: An administrator uses a script or tool like PowerShell or RoboCopy to archive data, which may involve cipher.exe for file system consistency checks.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges and associated with known archival scripts or tools.
Scenario: Antivirus Quarantine Operation
Description: An antivirus tool like Kaspersky, Bitdefender, or Malwarebytes may use cipher.exe to securely delete quarantined files across multiple drives.
Filter/Exclusion: Exclude processes where the parent process is an antivirus executable (e.g., kavsvc.exe, mbam.exe, bitdefender.exe).
Scenario: Database Backup and Cleanup
Description: A database management system (e.g., SQL Server, MySQL) may use cipher.exe as part of a backup or cleanup process to ensure data integrity.
Filter/Exclusion: Exclude processes where the parent process is a database service or related tool (e.g., sqlservr.exe, mysqld.exe).