Symantec recently shared details regarding an attack that takes advantage of the Encrypting File System (EFS) to prevent forensic analysis. Can you provide details on the Windows EFS? How exactly can enterprises go about identifying such attacks?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
EFS is Microsoft's encrypted file system. This is where Windows is able to encrypt files and folders based on x.509 certificates. If an EFS encrypted file is copied off of a system or accessed by any account other the one used to encrypt the file, the data will be inaccessible. The Backdoor.Tranwos Trojan uses EFS to make it difficult for malware analysts to get a copy of the malicious files other than by running the system infected with the malware.
Enterprises can identify similar attacks or malware that leverage EFS by scanning systems for encrypted files or non-standard EFS usage. There are several different techniques that accomplish this, but it essentially takes checking to see if each file and folder on a file system is encrypted. If an encrypted file or folder is found, the encryption key must be recovered or the files decrypted. The command-line utility cipher can be used for both approaches, but it only works if you are logged in as the user who was logged in at the time of infection. This will make it much more likely that the decryption key (private key) is available to be exported or for decrypting the files.
Alternately, rogue use of EFS can be detected with the cipher command. Start by looking for users with EFS setup and an EFS-specific encryption key (the private key setup to be used for EFS). If one was not intentionally setup for the user, it is critical to conduct further investigation.
This was first published in December 2013