Symantec recently shared details regarding an attack that takes advantage of the Encrypting File System (EFS) to...
prevent forensic analysis. Can you provide details on the Windows EFS? How exactly can enterprises go about identifying such attacks?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
EFS is Microsoft's encrypted file system. This is where Windows is able to encrypt files and folders based on x.509 certificates. If an EFS encrypted file is copied off of a system or accessed by any account other the one used to encrypt the file, the data will be inaccessible. The Backdoor.Tranwos Trojan uses EFS to make it difficult for malware analysts to get a copy of the malicious files other than by running the system infected with the malware.
Enterprises can identify similar attacks or malware that leverage EFS by scanning systems for encrypted files or non-standard EFS usage. There are several different techniques that accomplish this, but it essentially takes checking to see if each file and folder on a file system is encrypted. If an encrypted file or folder is found, the encryption key must be recovered or the files decrypted. The command-line utility cipher can be used for both approaches, but it only works if you are logged in as the user who was logged in at the time of infection. This will make it much more likely that the decryption key (private key) is available to be exported or for decrypting the files.
Alternately, rogue use of EFS can be detected with the cipher command. Start by looking for users with EFS setup and an EFS-specific encryption key (the private key setup to be used for EFS). If one was not intentionally setup for the user, it is critical to conduct further investigation.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Vonteera adware has the ability to disable antimalware software on endpoint devices. Expert Nick Lewis explains how enterprises can prevent this ...continue reading
ModPOS, a new POS malware, compromised millions of credit card accounts in 2015. Expert Nick Lewis explains how cybercriminals use this malware and ...continue reading
Amex cards have been discovered to be vulnerable to credit card hacking. Expert Nick Lewis explains how this happens, and what can be done about Chip...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.