The rule detects the execution of `Cipher.exe`, a Windows command-line utility, specifically when run with the `/w` flag, which securely overwrites files on NTFS drives. This function is crucial as threat actors may utilize `Cipher.exe` for data destruction by overwriting data, rendering it irrecoverable. The rule is designed to identify any execution of `cipher.exe`, regardless of its potential renaming, and focuses on instances where the `/w:` argument is present, excluding those followed by numeric characters to minimize false alerts. By employing `get_endpoint_data` and `get_endpoint_data_edr`, the detection logic captures relevant process executions and aggregates data by time and host to facilitate quick analysis. This approach aims to fortify defenses against malicious activities focused on data loss or information tampering strategies, particularly within environments vulnerable to targeted attacks seeking to disrupt services. Comprehensive references are provided, illustrating both practical uses of the tool and broader implications related to covert access via compromised networks.