S1205 cipher.exe
cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).1
| Item | Value |
|---|---|
| ID | S1205 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 25 February 2025 |
| Last Modified | 10 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | cipher.exe can be used to overwrite deleted data in specified folders.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 2 |
References
-
Microsoft Support. (n.d.). Cipher.exe Security Tool for the Encrypting File System. Retrieved February 25, 2025. ↩
-
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025. ↩↩