Symantec recently shared details regarding an attack that takes advantage of the Encrypting File System (EFS) to...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
prevent forensic analysis. Can you provide details on the Windows EFS? How exactly can enterprises go about identifying such attacks?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
EFS is Microsoft's encrypted file system. This is where Windows is able to encrypt files and folders based on x.509 certificates. If an EFS encrypted file is copied off of a system or accessed by any account other the one used to encrypt the file, the data will be inaccessible. The Backdoor.Tranwos Trojan uses EFS to make it difficult for malware analysts to get a copy of the malicious files other than by running the system infected with the malware.
Enterprises can identify similar attacks or malware that leverage EFS by scanning systems for encrypted files or non-standard EFS usage. There are several different techniques that accomplish this, but it essentially takes checking to see if each file and folder on a file system is encrypted. If an encrypted file or folder is found, the encryption key must be recovered or the files decrypted. The command-line utility cipher can be used for both approaches, but it only works if you are logged in as the user who was logged in at the time of infection. This will make it much more likely that the decryption key (private key) is available to be exported or for decrypting the files.
Alternately, rogue use of EFS can be detected with the cipher command. Start by looking for users with EFS setup and an EFS-specific encryption key (the private key setup to be used for EFS). If one was not intentionally setup for the user, it is critical to conduct further investigation.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.