Symantec recently shared details regarding an attack that takes advantage of the Encrypting File System (EFS) to...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
prevent forensic analysis. Can you provide details on the Windows EFS? How exactly can enterprises go about identifying such attacks?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
EFS is Microsoft's encrypted file system. This is where Windows is able to encrypt files and folders based on x.509 certificates. If an EFS encrypted file is copied off of a system or accessed by any account other the one used to encrypt the file, the data will be inaccessible. The Backdoor.Tranwos Trojan uses EFS to make it difficult for malware analysts to get a copy of the malicious files other than by running the system infected with the malware.
Enterprises can identify similar attacks or malware that leverage EFS by scanning systems for encrypted files or non-standard EFS usage. There are several different techniques that accomplish this, but it essentially takes checking to see if each file and folder on a file system is encrypted. If an encrypted file or folder is found, the encryption key must be recovered or the files decrypted. The command-line utility cipher can be used for both approaches, but it only works if you are logged in as the user who was logged in at the time of infection. This will make it much more likely that the decryption key (private key) is available to be exported or for decrypting the files.
Alternately, rogue use of EFS can be detected with the cipher command. Start by looking for users with EFS setup and an EFS-specific encryption key (the private key setup to be used for EFS). If one was not intentionally setup for the user, it is critical to conduct further investigation.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.