administrator may execute this app to manage disk

t1070
t1070.004
endpoint
splunk

Techniques

T1070
T1070.004

Sample rules

Clear Unallocated Sector Using Cipher App

source: splunk
technicques:
- T1070.004
- T1070

Description

this search is to detect execution of cipher.exe to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cipher.exe" Processes.process = "*/w:*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `clear_unallocated_sector_using_cipher_app_filter`