S1205: cipher.exe
cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).[1]
Analyst context for executives and security teams
cipher.exe is a legitimate Windows utility for managing Encrypting File System encryption on NTFS volumes. Its security significance is that a trusted native tool can appear in adversary tradecraft and is linked in ATT&CK to Disk Content Wipe, an impact behavior that can affect data availability and recovery. For leaders, this is a reminder that resilience is not only about blocking malware; it also depends on visibility into built-in administrative utilities and the ability to distinguish normal operations from destructive or disruptive use.
Executive priority
Prioritize this as a Windows resilience and incident-readiness issue rather than a standalone malware problem. Security leaders should ask whether SOC and IR teams can see use of native encryption/file-system utilities on critical Windows systems, whether backups and recovery processes are insulated from endpoint-level disruption, and whether administrative use of EFS-related tooling is documented well enough to support audit and incident decisions. The ATT&CK relationships to APT28 and the APT28 Nearest Neighbor Campaign increase threat-intelligence relevance, but local exposure depends on whether cipher.exe activity is normal, monitored, and governed in the environment.
Technical view
Validate Windows telemetry for execution of cipher.exe and correlate it with user context, parent process, host criticality, command-line logging where available, file-system activity, and changes affecting NTFS/EFS-managed files or directories. Because ATT&CK provides no official detection text for this object, detection engineering should be behavior- and context-driven: distinguish expected administrative or support activity from unusual execution on servers, endpoints with sensitive data, recovery infrastructure, or systems where EFS use is not approved. Relationship context links the tool to T1561.001 Disk Content Wipe under impact, so IR playbooks should treat suspicious use alongside other data destruction or availability-loss signals.
Likely telemetry
- Windows process creation events for cipher.exe
- Command-line and parent-process metadata where collected
- User, logon session, and privilege context for the executing account
- Endpoint file-system activity on NTFS volumes and EFS-related changes
- EDR alerts or behavioral events involving native Windows utilities
Detection direction
- Create a baseline of legitimate cipher.exe use by administrators, support tools, and maintenance workflows before alerting broadly.
- Prioritize alerting for execution on high-value Windows systems, unusual users, unusual parent processes, or environments where EFS administration is not expected.
- Correlate cipher.exe activity with other impact indicators, especially file modification bursts, access failures, recovery issues, or other events aligned to Disk Content Wipe behavior.
- Tune for false positives from legitimate Microsoft-supported EFS administration, security operations, or helpdesk activity.
- Review gaps where command-line capture, parent-child process visibility, or endpoint file-system telemetry is missing; ATT&CK does not provide an official detection analytic for this object.
Mitigation priorities
- Document approved EFS and cipher.exe administrative use cases on Windows systems.
- Restrict administrative privileges and interactive access on critical systems to reduce unnecessary native-tool abuse opportunities.
- Ensure endpoint logging and EDR policies capture native utility execution with enough context for investigation.
- Protect and test backups and recovery paths so file or disk disruption does not become a business-continuity event.
- Incorporate suspicious cipher.exe activity into IR triage for potential impact scenarios, including validation of data availability and recovery integrity.
Analyst notes and limits
This object is a native Microsoft utility, not inherently malicious. The main analytic value comes from its Windows platform scope, its EFS/NTFS function, and ATT&CK relationships showing use by APT28, the APT28 Nearest Neighbor Campaign, and T1561.001 Disk Content Wipe. Glexia teams should treat it as a living-off-the-land visibility and resilience validation point.
ATT&CK supplies no official detection guidance, no aliases, no explicit tactics on the tool object, and limited relationship detail. Any assertion of maliciousness, attribution, or detection coverage requires local telemetry and incident evidence. The supplied platform support is Windows only.
cipher.exe
cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | cipher.exe can be used to overwrite deleted data in specified folders.CitationNearest Neighbor Volexity |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
C0051: APT28 Nearest Neighbor Campaign
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7631e5b077f0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
cipher.exe
Microsoft Support. (n.d.). Cipher.exe Security Tool for the Encrypting File System. Retrieved February 25, 2025.
Open source URL -
[2]
mitre-attack S1205Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.