In this post , we covered Aurora endpoint and detection response agent tool that is used in detecting and responding to cyber security incidents. Aurora runs on top of Windows OS and detects events based on Sigma rules and adds them to Windows Event Viewer for further analysis. Aurora also supports response methods such as suspending, killing or dumping the process. This video was part of TryHackMe Aurora EDR room.
Highlights
Aurora is a Windows endpoint agent that uses Sigma rules and IOCs to detect threat patterns on local event streams using ETW. When a true-positive rule matches, Aurora triggers “response actions” that will be displayed under the Windows Event Log Viewer.
Aurora obtains data from different ETW channels and adds live information (for the commercial version) to enrich and recreate events similar to those generated by Sysmon. It does not create tons of logs; it only populates the viewer with events of triggered rules. Below, we can look at a comparison between Aurora and Sysmon. Type of Configurations Aurora can be configured to use four different configuration formats that dictate how the solution would fetch events and raise alerts. The four preset formats are:
Standard: This configuration covers events at a medium level of severity.
Reduced: This configuration looks at events considered to be at a high minimum reporting level.
Minimal: This configuration looks at events considered to be at a high minimum reporting level.
Intense: This configuration looks at events considered to be at a low minimum reporting level. Running Aurora Aurora can be started directly via the command line, with the option of selecting the preferred configuration. Aurora Launch with Minimal Config
C:\Program Files\Aurora-Agent>aurora-agent.exe -c agent-config-minimal.ymlFor continuous running, the agent can also run as a service through the --install flag. Aurora Launch as a Service
C:\Program Files\Aurora-Agent>aurora-agent.exe --install -c agent-config-minimal.yml–-status: Queries status information from the currently running service.
–trace: Queries all the events Aurora monitors from the subscribed channels. It also provides complete event statistics.
–json: Outputs information in JSON format for a more comprehensive view of the alerts that are easy to search.
Room Answers
Room answers can be found here.