Hello, welcome to the Wednesday, January 22nd, 2020 edition of the Sands and the Storms on us Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Today we got a nice write-up by Russ about Deep Blue CLY.

Deep Blue CLY is a power shell script that allows you to quickly and efficiently search and

summarize Windows event logs.

It actually comes from the Sands Blue team and Eric Conrad is sort of leading this effort.

It's a pretty interesting script and Russ is sort of running through a couple scenarios here.

What you can find with the script, like just for example interesting events like starting and stopping of the event log service itself or finding evidence of the use of a interpreter and such.

So it has a number of things that's looking for new users being added to the system.

It's another one that I actually like because that's something attackers tend to do if they

have sufficient access to the system. So if you want to check it out,

it's a free tool and Russ is also linking to the respective GitHub repository.

Security company SafeBridge has a blog post that shows how the Windows encrypted file system or EFS could potentially be used by a ransomware against the user.

I'm not trying to have been sure how significant of an issue this is.

I think in general the problem with ransomware is that it does turn the security feature of encryption against the user itself.

Now, of course, with encrypted file system, the problem is that it itself is often sort of a white listed from various anti-mail-ver that does try to detect if any software all of a sudden starts to

encrypt files.

If you're using the encrypted file system to do that, then your anti-malware is probably

not going to alert you.

Now, another interesting quirk to this is that the files will remain usable to the regular user until the attacker

decides to flush the EFS data from memory, and apparently there is a specific undocumented

...