In this post , we covered Aurora endpoint and detection response agent tool that is used in detecting and responding to cyber security incidents. Aurora runs on top of Windows OS and detects events based on Sigma rules and adds them to Windows Event Viewer for further analysis. Aurora also supports response methods such as suspending, killing or dumping the process. This video was part of TryHackMe Aurora EDR room.
Highlights
Aurora is a Windows endpoint agent that uses Sigma rules and IOCs to detect threat patterns on local event streams using ETW. When a true-positive rule matches, Aurora triggers “response actions” that will be displayed under the Windows Event Log Viewer.
Aurora obtains data from different ETW channels and adds live information (for the commercial version) to enrich and recreate events similar to those generated by Sysmon. It does not create tons of logs; it only populates the viewer with events of triggered rules. Below, we can look at a comparison between Aurora and Sysmon.
Type of Configurations
Aurora can be configured to use four different configuration formats that dictate how the solution would fetch events and raise alerts. The four preset formats are:
- Standard: This configuration covers events at a medium level of severity.
- Reduced: This configuration looks at events considered to be at a high minimum reporting level.
- Minimal: This configuration looks at events considered to be at a high minimum reporting level.
- Intense: This configuration looks at events considered to be at a low minimum reporting level.
Running Aurora
Aurora can be started directly via the command line, with the option of selecting the preferred configuration.
Aurora Launch with Minimal Config
C:\Program Files\Aurora-Agent>aurora-agent.exe -c agent-config-minimal.ymlFor continuous running, the agent can also run as a service through the --install flag.
Aurora Launch as a Service
C:\Program Files\Aurora-Agent>aurora-agent.exe --install -c agent-config-minimal.yml–-status:Queries status information from the currently running service.–trace:Queries all the events Aurora monitors from the subscribed channels. It also provides complete event statistics.–json:Outputs information in JSON format for a more comprehensive view of the alerts that are easy to search.
Room Answers | TryHackMe Aurora EDR
What does EDR stand for?
Endpoint Detection and Response
Which applications produce event logs?
providers
Applications that subscribe to event logs are called?
consumers
Which event level would be used to describe a significant problem with a service?
error
What is the Windows Eventlog category responsible for recording events associated with programs currently running called?
system
Which Aurora preset supports the highest CPU limit?
intense
Which process would be terminated when the response flag ancestors:3 is used?
Great grandparent
When the Aurora agent is terminated, which event id will be used?
103
What is the title of the first event rule?
WMI Process Reconnaissance
What is the Rule ID of the matched Sigma rule?
221b251a-357a-49a9-920a-271802777cc0
What is the Sigma rule level of the event?
medium
What is the Rule Title of the second Event?
Suspicious Creation TXT File in User Desktop
Based on the Rule’s characteristics, what malicious activity is associated with the event?
Ransomware
Video Walkthrough | TryHackMe Aurora EDR
