==================================================

CREATED: WIN-CIPHER-EXECUTION (#2069)

Description

This detector identifies instances of the Windows binary cipher.exe executing and clearing data from unused disk space.  Adversaries will utilize this process to prevent recovery of deleted files.

ATT&CK Technique T1485
ATT&CK Technique T1486
ATT&CK Technique T1490

Did this answer your question?