cipher.exe
- File Path:
C:\windows\SysWOW64\cipher.exe - Description: File Encryption Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | B3595442D82ADCB77E05F40356AC0E70 |
| SHA1 | 1A628B9D8AA5F81F561EE3EA565AB3C2CC6B4D16 |
| SHA256 | 067D2C6EE12FF31C08BC5752D5603A803FC67D0F97DA3EA702B330A69B7DD7E8 |
| SHA384 | A944A344E61460911D895BD6A5E83A484D6552CEAC43B6827445E785E32B71C51E8F5DC5A7909F06E75656DBE376BE4F |
| SHA512 | BF3EAFD4797AC7B5F998A312288186087E806935AB315B4565BFF70DDC58AA0CA74C3209062FDBA6086636F9641473B3817EE1BC162E14501DD175F36D6C18AC |
| SSDEEP | 768:3GJavBzIggAy2gHS6r2xMOCFSjOIGAn4v7PHWNzOy:WJavPgSgy6C+lKOInA7ezOy |
Signature
- Status: The file C:\windows\SysWOW64\cipher.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: CIPHER.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of cipher.exe being misused. While cipher.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | zeek_susp_kerberos_rc4.yml | cipher: 'rc4-hmac' |
DRL 1.0 |
| sigma | proc_creation_win_susp_cipher.yml | title: Overwrite Deleted Data with Cipher |
DRL 1.0 |
| sigma | proc_creation_win_susp_cipher.yml | Image\|endswith: \cipher.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \cipher.exe |
DRL 1.0 |
| sigma | arcsight-zeek.yml | cipher: |
DRL 1.0 |
| sigma | arcsight-zeek.yml | #cipher: message |
DRL 1.0 |
| sigma | arcsight-zeek.yml | #cipher: deviceCustomString4 |
DRL 1.0 |
| sigma | ecs-auditbeat-modules-enabled.yml | cipher: auditd.data.cipher |
DRL 1.0 |
| sigma | ecs-auditd.yml | cipher: cipher |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | cipher: |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | service=kerberos: kerberos.cipher |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | service=ssl: tls.cipher |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | kerberos_cipher: kerberos.cipher |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | ssl_cipher: tls.cipher |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | tls_cipher: tls.cipher |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | #cipher: kerberos.cipher |
DRL 1.0 |
| sigma | ecs-zeek-corelight.yml | #cipher: tls.cipher |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | cipher: 'zeek.*.cipher' |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | kerberos_cipher: zeek.kerberos.cipher |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | ssl_cipher: zeek.ssl.cipher |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | tls_cipher: zeek.ssl.cipher |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | #cipher: zeek.kerberos.cipher |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | cipher_alg: zeek.ssh.algorithm.cipher |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | #cipher: tls.cipher # Not implemented in Elastic Beats |
DRL 1.0 |
| sigma | ecs-zeek-elastic-beats-implementation.yml | #cipher: zeek.ssl.cipher |
DRL 1.0 |
| malware-ioc | attor | === XOR cipher keys |
© ESET 2014-2018 |
| malware-ioc | carbon_tool.py | from Crypto.Cipher import CAST |
© ESET 2014-2018 |
| malware-ioc | carbon_tool.py | cipher = CAST.new(key, CAST.MODE_OFB, iv) |
© ESET 2014-2018 |
| malware-ioc | carbon_tool.py | data = cipher.encrypt(plaintext) |
© ESET 2014-2018 |
| malware-ioc | carbon_tool.py | data = cipher.decrypt(ciphertext) |
© ESET 2014-2018 |
| malware-ioc | windigo | [-Q cipher \| cipher-auth \| mac \| kex \| key] |
© ESET 2014-2018 |
| atomic-red-team | T1485.md | RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1485.md | https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1485.md | cipher.exe /w:C: | MIT License. © 2018 Red Canary |
| atomic-red-team | T1486.md | echo “#{pwd_for_encrypted_file}” | $which_gpg –batch –yes –passphrase-fd 0 –cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} | MIT License. © 2018 Red Canary |
| signature-base | apt_promethium_neodymium.yar | $s1 = “%s SslHandshakeDone(%d) %d. Secure connection with %s, cipher %s, %d secret bits (%d total), session reused=%s” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_seaduke_unit42.yar | $s3 = “Crypto.Cipher.AES(“ fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
cipher
Displays or alters the encryption of directories and files on NTFS volumes. If used without parameters, cipher displays the encryption state of the current directory and any files it contains.
Syntax
cipher [/e | /d | /c] [/s:<directory>] [/b] [/h] [pathname [...]]
cipher /k
cipher /r:<filename> [/smartcard]
cipher /u [/n]
cipher /w:<directory>
cipher /x[:efsfile] [filename]
cipher /y
cipher /adduser [/certhash:<hash> | /certfile:<filename>] [/s:directory] [/b] [/h] [pathname [...]]
cipher /removeuser /certhash:<hash> [/s:<directory>] [/b] [/h] [<pathname> [...]]
cipher /rekey [pathname [...]]
Parameters
| Parameters | Description |
|---|---|
| /b | Aborts if an error is encountered. By default, cipher continues to run even if errors are encountered. |
| /c | Displays information on the encrypted file. |
| /d | Decrypts the specified files or directories. |
| /e | Encrypts the specified files or directories. Directories are marked so that files that are added afterward will be encrypted. |
| /h | Displays files with hidden or system attributes. By default, these files are not encrypted or decrypted. |
| /k | Creates a new certificate and key for use with Encrypting File System (EFS) files. If the /k parameter is specified, all other parameters are ignored. |
/r:<filename> [/smartcard] |
Generates an EFS recovery agent key and certificate, then writes them to a .pfx file (containing certificate and private key) and a .cer file (containing only the certificate). If /smartcard is specified, it writes the recovery key and certificate to a smart card, and no .pfx file is generated. |
/s:<directory> |
Performs the specified operation on all subdirectories in the specified directory. |
| /u [/n] | Finds all encrypted files on the local drive(s). If used with the /n parameter, no updates are made. If used without /n, /u compares the user’s file encryption key or the recovery agent’s key to the current ones, and updates them if they have changed. This parameter works only with /n. |
/w:<directory> |
Removes data from available unused disk space on the entire volume. If you use the /w parameter, all other parameters are ignored. The directory specified can be located anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume is removed. |
/x[:efsfile] [<FileName>] |
Backs up the EFS certificate and keys to the specified file name. If used with :efsfile, /x backs up the user’s certificate(s) that were used to encrypt the file. Otherwise, the user’s current EFS certificate and keys are backed up. |
| /y | Displays your current EFS certificate thumbnail on the local computer. |
/adduser [/certhash:<hash> |
/certfile:<filename>] |
| /rekey | Updates the specified encrypted file(s) to use the currently configured EFS key. |
/removeuser /certhash:<hash> |
Removes a user from the specified file(s). The Hash provided for /certhash must be the SHA1 hash of the certificate to remove. |
| /? | Displays help at the command prompt. |
Remarks
-
If the parent directory is not encrypted, an encrypted file could become decrypted when it is modified. Therefore, when you encrypt a file, you should also encrypt the parent directory.
-
An administrator can add the contents of a .cer file to the EFS recovery policy to create the recovery agent for users, and then import the .pfx file to recover individual files.
-
You can use multiple directory names and wildcards.
-
You must put spaces between multiple parameters.
Examples
To display the encryption status of each of the files and subdirectories in the current directory, type:
cipher
Encrypted files and directories are marked with an E. Unencrypted files and directories are marked with a U. For example, the following output indicates that the current directory and all its contents are currently unencrypted:
Listing C:\Users\MainUser\Documents\
New files added to this directory will not be encrypted.
U Private
U hello.doc
U hello.txt
To enable encryption on the Private directory used in the previous example, type:
cipher /e private
The following output displays:
Encrypting files in C:\Users\MainUser\Documents\
Private [OK]
1 file(s) [or directorie(s)] within 1 directorie(s) were encrypted.
The cipher command displays the following output:
Listing C:\Users\MainUser\Documents\
New files added to this directory will not be encrypted.
E Private
U hello.doc
U hello.txt
Where the Private directory is now marked as encrypted.
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.