Jump to content
  • uberAgent ESA – Security Observability Playing with the Red Team

    Ricardo José Garrido Reichelt

    A customer contacted us some time ago, expressing interest in detecting an advanced attack chain that infiltrates virtualized machines (VDIs). Back then, we used Citrix Analytics for Security (CAS) and Session Recording (SR) for this purpose, as the combined power of both solutions provided us with an interesting number of elements that we could verify, which helped us with this specific customer request.

    Before we begin, here is some background information on the security scenario for which the customer requested our assistance. The best description is provided in another blog post by the Spanish security company Tarlogic. Their post, titled "Pentest in restricted VDI environments," explains how to infiltrate a secured VDI machine in detail.

    In general terms, to summarize the attack in its different phases, an attacker performs the following steps:

    • Phase I
      • The attacker prepares a custom cmd.dll file tailored to their specific needs for the attack.
    • Phase II
      • The attacker encodes the prepared *.DLL file using Base64 encoding to enable infiltration. It is assumed that copying and pasting text from external sources into the VDI environment is permitted.
    • Phase III
      • The attacker transfers the Base64-encoded *.DLL file to the VDI by pasting the Base64 string into a text editor, such as Notepad, and then saving it as a file. Finally, the file is decoded using "Certutil", a native Windows operating system utility.
    • Phase IV
      • Next, the attacker uses an Excel macro to side-load the decoded malicious DLL file.
    • Phase V
      • The attacker proceeds with data exfiltration, extracting sensitive information from the compromised VDI environment.

    As indicated, we used the combined power of Citrix Analytics for Security (CAS) and Session Recording (SR), as the combination of SR and CAS will provide us with additional risk indicators that can be used in Citrix Analytics to elevate the Observability or even the risk score for the users. The calculated risk score could then be used with SPA (Secure Private Access—Citrix ZTNA solution) to provide dynamic access to the company resources.

    In this case, the goal was to provide as much visibility as possible into the abovementioned infiltration. At that time, we used some custom risk indicators to detect the infiltration, looking for the usage of “certutil,” clipboard usage, and other elements. Note that once you have an element that indicates Citrix.EventMonitor.* in CAS, Session Recording will provide it to Analytics for Security.



    After acquiring Vast Limits, the company behind uberAgent, we wanted to continue the challenge and see how uberAgent could help us in the given scenario. We also wanted to extend the observability of this scenario to the physical environment, as uberAgent supports both Windows and macOS in virtual and physical environments (including single-user and multi-user modes). The first important thing to note is that uberAgent is a single agent consisting of two components:

    Of course, for this specific task, we will focus on uberAgent ESA, which is the security component of uberAgent.

    Terms and definitions

    To understand the broader context, it is important to understand the following terms better and how they fit within the uberAgent context.

      • Is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
      • uberAgent's threat detection rules can be linked to MITRE ATT&CK technique IDs and MITRE ATT&CK, which are also integrated into the uberAgent ESA Splunk app.
    • SIGMA Rules
      • SIGMA is an active security project hosted and maintained on GitHub. Security researchers worldwide constantly update it.
      • The repository offers over 3000 detection rules of different types and aims to make reliable detections accessible to all at no cost.
      • The uberAgent team has developed a SIGMA converter that allows SIGMA rules to be used with uberAgent. 
      • An automated process converts the latest SIGMA rules daily and publishes them in the uberAgent-config repository.
    • LOLBAS
      • LOLBAS is another open-source project that examines operating system (Windows) files and correlates their possible malicious use. It also provides a rich collection of links, e.g., to the MITRE ATT&CK knowledgebase and to specific SIGMA rules.

    Now that we've clarified some general terminology, let's return to the attack scenario. Our primary interest is in observing any possible malicious activity on the end user machine, whether it is a physical device or a VDI. Therefore, we will focus on Phase III and Phase IV:

    • Decoding of the Base64 file that has been infiltrated into the machine.
    • Sideloading the infiltrated malicious DLL file could be done through an installed application such as Microsoft Excel.

    When we look into the LOLBAS project and here specifically into Certutil, which is the native operating system tool that has been used for the decoding, we see the following on the LOLBAS web page:


    Scrolling down and clicking on Certutil.exe takes us to the specific page in the LOLBAS project for Certutil. Here, we can see that there are specific SIGMA rules to detect the different actions that can be used for malicious purposes (encoding, decoding, downloading).

    Of course, we are particularly interested in the “Sigma: proc_creation_win_certutil_decode.yml” rule. Selecting the rule takes us to the  SIGMA project and, more specifically, to the actual rule definition for detecting the decoding of Base64-encoded content abusing Certutil.


    As the screenshot shows, the rule definition contains several pieces of information, such as title, ID, status, and the actual detection logic. To check if the rule is compatible with uberAgent, let's remember the SIGMA rule id for later: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7

    Use uberAgent’s default ruleset and SIGMA rules to detect the attack chain

    This brings us to uberAgent - uberAgent's threat detection engine uses a rules-based approach, with rules defined in configuration files. To verify that a particular rule is included for detection, we can search uberAgent’s configuration files for the given SIGMA rule id using a tool like Notepad++ or Visual Studio Code.

    The uberAgent configuration repository is located on Github: uberAgent configuration.

    Looking at the configuration files, we can see that uberAgent includes detection for the above-mentioned SIGMA rule, as shown in the following screenshot:


    Additionally, another SIGMA rule detects the loading of the VBA Runtime from an Office application, which indicates that a VBA macro is being executed. Here are some sample screenshots of the related rule:



    Attack simulation

    After some research and development, we were able to simulate the attack. The next Screenshot shows the files used to simulate the attack.


    Steps we took for the attack simulation:

    1. First, we Base64-encoded the payload (CertUtilPayloadProof.dll).
    2. Next, we copied the Base64 string, pasted it into Notepad.exe, and saved the content.
    3. Then, we started Excel and used a small VBA macro (Base64DecodeMacro.vba) to run Certutil, decoding the Base64-encoded file back to its original bytes.
    4. Finally, we loaded the decoded file into the machine's memory using another small VBA macro (LoadDllMacro.vba) executed from Excel.

    The DLL we loaded is simple, and designed to display only a small pop-up window. The purpose is to visually confirm the successful loading of the DLL file by an application such as Excel without requiring any additional tools or utilities. Sample code of the DLL used for the testing.


    As you can see in the next screenshot, we successfully loaded the dll using Excel with only about 10 lines of VBA code.



    Detection Results

    Time to see what uberAgent has detected! The good news - all actions were detected, and even more:

    • Modifying the registry to enable Macros for Excel (not planned).
    • The creation of a child process (cmd.exe to run Certutil) by Excel.
    • Running Certutil to decode a Base64-encoded file.
    • Loading the VBA Runtime from Excel.

    To give you an idea of what uberAgent detected during testing, we have prepared some screenshots:

    Detection of enabling Macro Execution

    Since we needed a way to execute code for the attack and wanted to do this via Excel, we first had to enable macro execution in Excel, which was disabled on our test system. This step was more of a preparation, as we assumed in the scenario that an attacker had gained access to a machine, such as one in accounting or controlling, where the likelihood of enabling Excel macros is much higher. Although this was not planned, the changes made to the registry were detected immediately, as illustrated in the next screenshots:




    The second screenshot shows a detection event generated by uberAgent's Threat Detection Engine (TDE). It contains several attributes, such as time, host event type, process, and parent process name, and is also tagged with MITRE ATT&CK information.

    Rules used for detection

    • 786b309b-b322-4ffa-aa03-12381d30ca4e
      • Author: vast limits GmbH
    • 91239011-fe3c-4b54-9f24-15c86bb65913
      • Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)

    Detection of the LOLBAS Rule for Certutil.exe. 

    The next two screenshots show the detection of decoding the Base64-encoded DLL-file using Certutil.


    The details:


    Rules used for detection

    • cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
      • Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
    • b95c2154-3299-4653-9b6e-d421a158e6ba
      • Author: vast limits GmbH

    MS Office child process detection.
    uberAgent also detected that Excel started a cmd child process that we used to launch Certutil:


    The details:


    Rules used for detection

    • 67c7f3a2-daa6-4606-9954-9d1ca1531747
      • Author: vast limits GmbH

    VBA Runtime loaded through Office Application detection.

    Finally, it was detected that Excel had loaded the VBA-Runtime.


    Here are the details of this detection.


    Rules used for detection

    • 6ce8457-68b1-485b-9bdd-3c2b5d679aa9
      • Author: Antonlovesdnb

    So we achieved our goal

    • To show how we can improve security visibility across physical and virtual endpoints with uberAgent.


    In this blog post, we explored how uberAgent ESA (Endpoint Security Analytics) can significantly enhance security visibility across physical and virtual endpoints. By leveraging the power of MITRE ATT&CK, SIGMA rules, and LOLBAS, uberAgent provides a comprehensive solution for detecting advanced attack chains, such as those used to infiltrate virtualized machines (VDIs).


    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...