In this post , we covered Aurora endpoint and detection response agent tool that is used in detecting and responding to cyber security incidents. Aurora runs on top of Windows OS and detects events based on Sigma rules and adds them to Windows Event Viewer for further analysis. Aurora also supports response methods such as suspending, killing or dumping the process. This video was part of TryHackMe Aurora EDR room.

Blue Team Study Notes

Cyber Security Study Notes

Highlights

Aurora is a Windows endpoint agent that uses Sigma rules and IOCs to detect threat patterns on local event streams using ETW. When a true-positive rule matches, Aurora triggers “response actions” that will be displayed under the Windows Event Log Viewer.

Aurora obtains data from different ETW channels and adds live information (for the commercial version) to enrich and recreate events similar to those generated by Sysmon. It does not create tons of logs; it only populates the viewer with events of triggered rules. Below, we can look at a comparison between Aurora and Sysmon.
Type of Configurations
Aurora can be configured to use four different configuration formats that dictate how the solution would fetch events and raise alerts. The four preset formats are:

  • Standard: This configuration covers events at a medium level of severity.
  • Reduced: This configuration looks at events considered to be at a high minimum reporting level.
  • Minimal: This configuration looks at events considered to be at a high minimum reporting level.
  • Intense: This configuration looks at events considered to be at a low minimum reporting level.
    Running Aurora
    Aurora can be started directly via the command line, with the option of selecting the preferred configuration.
    Aurora Launch with Minimal Config
C:\Program Files\Aurora-Agent>aurora-agent.exe -c agent-config-minimal.yml

For continuous running, the agent can also run as a service through the --install flag.
Aurora Launch as a Service

C:\Program Files\Aurora-Agent>aurora-agent.exe --install -c agent-config-minimal.yml
  • –-status: Queries status information from the currently running service.
  • –trace: Queries all the events Aurora monitors from the subscribed channels. It also provides complete event statistics.
  • –json: Outputs information in JSON format for a more comprehensive view of the alerts that are easy to search.

Room Answers | TryHackMe Aurora EDR

What does EDR stand for?

Endpoint Detection and Response

Which applications produce event logs?

providers

Applications that subscribe to event logs are called?

consumers

Which event level would be used to describe a significant problem with a service?

error

What is the Windows Eventlog category responsible for recording events associated with programs currently running called? 

system

Which Aurora preset supports the highest CPU limit?

intense

Which process would be terminated when the response flag ancestors:3 is used?

Great grandparent

When the Aurora agent is terminated, which event id will be used?

103

What is the title of the first event rule?

WMI Process Reconnaissance

What is the Rule ID of the matched Sigma rule?

221b251a-357a-49a9-920a-271802777cc0

What is the Sigma rule level of the event?

medium

What is the Rule Title of the second Event?

Suspicious Creation TXT File in User Desktop

Based on the Rule’s characteristics, what malicious activity is associated with the event?

Ransomware

Video Walkthrough | TryHackMe Aurora EDR

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles