Process

unknown

cipher.exe

cipher.exe manages Encrypting File System (EFS) encryption on NTFS files and folders, and can also overwrite the free space on a drive. Admins use it to encrypt data and to scrub deleted files. Attackers use the wipe feature for anti-forensics and destruction.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • cipher /w:{PATH_ABSOLUTE:folder}Tamper · Can be used to forensically erase a file.
  • cipher.exe /e {PATH_ABSOLUTE}Tamper · Can be used to impair defences by e.g. encrypting a critical EDR solution file.

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

cipher.exe displays and changes the EFS encryption state of files and directories. Its other notable mode is /w, which overwrites the free space on a volume, the space where deleted files still physically live, so that previously deleted data cannot be recovered. The genuine binary lives at C:\Windows\System32\cipher.exe.

Legitimately, cipher is used to manage EFS or to securely clear deleted data before disposing of a drive. The mode it runs in is what gives an instance meaning.

Security notes

cipher.exe is used for destruction and anti-forensics (T1485). cipher /w overwrites the free space on a volume, which permanently destroys the remnants of deleted files and defeats file-recovery and carving. Run outside a genuine drive-decommission, especially alongside other cleanup like event-log clearing or shadow deletion, it points to an attacker erasing evidence or destroying data.

Because cipher is a legitimate EFS and disk-hygiene tool, the mode and the context are what matter. A /w wipe issued by a script host in the middle of an incident is very different from an administrator clearing a disk before retiring it.

Anomaly signals4
  • Image path other than C:\Windows\System32\cipher.exehigh
  • /w wiping free space outside a planned decommissionhigh
  • Parent is cmd.exe, powershell.exe, or an unfamiliar processhigh
  • Run alongside log clearing, shadow-copy deletion, or USN journal deletionmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof cipher.exe?
Edit this page on GitHub