This detection rule identifies the use of the built-in Windows utility 'cipher.exe' which is designed to permanently overwrite deleted data on disk. The utility can be exploited by adversaries to ensure that deleted files are irrecoverable, disrupting data availability and potentially hindering forensic investigations. The rule targets processes created for 'cipher.exe' and looks for command-line arguments that indicate the overwrite operation using the '/w:' switch. By monitoring process creation events associated with 'cipher.exe', the rule can effectively highlight potential data destruction activities that threaten information integrity.