Aurora Agent

Your custom Sigma-based EDR

What is Aurora?
A lightweight agent
that applies Sigma rules
on endpoints
Aurora Agent

§ Lightweight agent that applies Sigma rules on Sigma

log data in real-time on endpoints Config
Sigma Rules IOCs
Agent
§ Uses ETW (Event Tracing for Windows) Config

§ Managed locally via config files or

via ASGARD Management Center
Eventlog
§ Extends the Sigma standard with ‘response’
actions ETW
§ Kill, KillParent, Suspend, Dump Log File
§ Custom actions
responses
§ Consider it your custom Sigma-based EDR
§ Aurora Agent Lite Remote
Process System
§ free, lacks comfort features and modules
(e.g. Cobalt Strike beaconing detection)
Comparison Sysmon / Aurora

Sysmon Aurora
Event Source Sysmon Kernel Driver ETW (Event Tracing for Windows)
Sigma Rule Event Coverage 100% 95%
Relative Log Volume High Low
Sigma and IOC Matching No Yes
Response Actions No Yes
Resource Control (CPU Load, Output Throttling) No Yes
Output: Eventlog Yes Yes
Output: File No Yes
Output: TCP / UDP target No Yes
Risk: Blue Screen Yes No
Risk: High System Load Yes No
Risk: Incomplete Data due to Filters Yes No
Key Benefits 1/2
Key Benefits 2/2
Response Actions

Ransomware Example
§ Use Sigma to detect a threat
§ Add a response action
Sigma Rule with Response
§ Predefined
§ Kill a process or parent process
§ Suspend a process
§ Dump process memory
§ Custom
§ A custom command line that can
make use of environment
variables and the event’s values
e.g. copy %Image%
%%ProgramData%%\%ProcessId%.bin

§ Contains threats in less than a second

Response Action
Aurora – First Steps
Aurora Agent Package

Place the license file in the extracted folder

The downloaded archive

Utility that provides updates & other auxiliary functions

This x86 and x64 versions of the agent

The different configuration presets

(the one with the ‘standard.yml’ suffix is used by default)

Signature set that gets shipped with the agent

ETW log sources and field mappings
Manual and license acknowledgements

Your custom Sigma rules and other IOCs

(i.e. hash values, filename or C2 IOCs, named pipes etc.)
A First Run

Let’s just run Aurora a first time

to get a feeling for it

Steps:
§ Start cmd.exe as
Administrator
§ Change to the extracted
program folder
§ Run:
aurora-agent-64.exe

CTRL+C stops Aurora

Usage Help

Let’s see what the help has to offer

Steps:
§ Run:
aurora-agent-64.exe --help

Don’t worry. We won’t need all options.

Looking over the different command line
flags will give you a first impression of the
feature set and the many customizing
options.
Install Aurora as a Service

Let’s install Aurora as a service

Steps:
§ Start cmd.exe as
Administrator
§ Change to the extracted
program folder
§ Run:
aurora-agent-64.exe --install
§ Check the agents status
with:
aurora-agent-64.exe --status
Function Tests and Event Review

Okay, now we verify that Aurora

works as expected with a simple
function test

Steps:
§ Start cmd.exe as Administrator
§ Run:
whoami /priv
§ Open the EventViewer and go to
“Application”
§ Look for the source “Aurora
Agent”
§ Select the “Details” Tab
§ Review the event information
Update Aurora and Signatures

When you install Aurora as a service, two

scheduled tasks are created to update the
program (weekly) and the signatures (daily)

However, you can trigger an update

manually using the “aurora-agent-util”

Steps:
§ Start cmd.exe as Administrator
§ Change directory to
“C:\Program Files\Aurora-Agent”
(service) or the extracted program
folder, e.g. “C:\aurora” (standalone)
§ Run
aurora-agent-util.exe upgrade

§ Get usage help for all functions of the

utility with
aurora-agent-util.exe help
Great!
Aurora is up and running.
Now let’s look at some customization options
Output Configuration

Aurora supports 3 different output channels

§ The Windows Eventlog (Application) Eventlog
deactivate with:
--no-eventlog
Log File
§ A log file (automatically rotated)
--log-file aurora-events.log
§ A remote system (UDP, TCP, plain or JSON) Remote
--udp-target oursyslog.internal System

More information:
https://aurora-agent-manual.nextron-systems.com/en/latest/usage/configuration.html#output-options
Configuration Presets

Aurora includes 4 configuration presets that select different ETW

log sources and add/remove different log enrichment modules
§ Standard 4 Presets
(implicitly used – doesn’t have to be specified)
§ Reduced -c agent-config-reduced.yml
TLDR; No process access events, CPU limit to 30%, minimum Sigma
level “high” Config

Agent Sigma Rules

§ Minimal -c agent-config-minimal.yml Config
TLDR; no hash calculations, CPU limit 20%, no LSASS dump
check, no Beacon Hunter, no Image load and Create Remote
Thread events

§ Intense -c agent-config-intense.yml
TLDR; every reasonable input activated, no limits
ETW
More information:
https://aurora-agent-manual.nextron-systems.com/en/latest/usage/configuration.html
Response Presets

Aurora comes with several presets that help you select the
recommended response for a given use case
Response Sigma Rules
--response-set ransomware.yml --activate-responses
Presets
This way you don’t have to review all 1000+ rules and select
the ones that you want to see blocked

responses

Process
More information:
https://aurora-agent-manual.nextron-systems.com/en/latest/usage/responses.html
The Cool Stuff
Features that make Aurora great
IOC Application

Example: Type Filenames

§ The effectiveness of filename
patterns is highly underrated
§ Malware and attackers use
repeating patterns, why shouldn’t
we?
§ We apply these patterns in many
different events: process creation,
file creation, image loads, handle
events, driver loads

We also apply: C2 FQDNs, IPs, Named

Pipes, Handles, File Hashes
Unique New Fields

§ Since Aurora generates only a few

events, we said:

“Why not add new fields that are

helpful in evaluating the event?”

e.g.

The field ProcessTree allows you to

write rules like:
”If new process powershell.exe and
w3wp.exe somewhere in the process
tree.”

The field FileAge allows you to write

rules like:
“If access to lsass.exe process memory
and FileAge starts with 00d00h00m.”
Statistics Reporting

§ Reports event statistics at frequent intervals

§ Allows you to monitor the agents for
manipulations
§ Attacker disables / stops agent
§ Attacker disables ETW
§ Attacker tampers with ETW event channels
§ The idea: you cannot completely rule out
manipulations of the agents – but you can
detect them!
§ Get it as plain text or JSON with “diff” values
to last report, e.g.
Microsoft-Windows-Kernel-Audit-API-Calls:
260000 (+4400 since last report)
^ this is great for monitoring ;
diff is 0 = tampering with ETW
Reports Extraordinary Event Producers

§ Aurora highlights events producers that are responsible

for over 50% of the observed events and recommends an
exclusion
Diagnostics

§ Generate a package with diagnostics data

§ Can help you …
§ find and exclude top event producers
§ Identify modules that cause higher CPU usage and disable them
§ debug agents that show abnormal behavior
Custom Service Name

§ Choose a service name to hide Aurora’s presence from

simple attempts to detect it
Getting Started
Visit the contact form and mention “Aurora Agent”
https://www.nextron-systems.com/get-started/
Extra Slides
Used for discussions regarding some of the features
Independence and Stability

§ No specific Windows audit policy required

§ No Sysmon required ETW
§ We tap into ETW, recreate 90%* of the events
used in Sysmon and apply Sigma rules to
them
§ No Kernel Driver used (no blue screens)
§ Disadvantage: we miss some events
(NamedPipe events, in some corner cases the
CommandLine of a process)

*some event types & fields may not be available in the first release version, but the most
important ones
Reduced Log Volume

Endpoint High Volume of Log Data

Native:
§ Logins
§ Service Installation
Log Forwarder Sysmon:
All System Events

Audit Policy Eventlog

§ Process Creation
Filters and forwards data to a backend § Registry Write Access (certain keys)

Sysmon
Sysmon Logs
Config

SIEM /
High Volume
Events Aurora Agent
Log Database
e.g.
§ Applies Sigma rules
§ Process Access § Only sends matches to backend
§ File Write Access Only Aurora Agent Matches
ETW § Handle Access e.g.
Channels § Network § Named pipe used by CobaltStrike
Connections § Suspicious access to LSASS
§ Suspicious network connection
from executable running in
%Public% folder
Recreation of Sysmon-like Events in Aurora

Event ID 1: Process Creation

ProcessID
Image
ParentImage
Sysmon CommandLine
Sysmon Hash
Driver …
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state change
Event ID 5: Process Terminated
Event ID 6: Driver loaded
ImageLoaded
Hashes
Signature
SignatureStatus

Kernel
Percentage of Percentage of
Event / Fields Event / Fields
Event ID 1: Process Creation used in Sigma Rules
ProcessID
Image
ParentImage
CommandLine
ETW Hash

~70% ~95%
…
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state change
Event ID 5: Process Terminated
Event ID 6: Driver loaded
ImageLoaded
Hashes
Signature
SignatureStatus
ASGARD and Aurora Agent

§ Deploy Aurora with the ASGARD

ASGARD Agent Management Center
Sigma
(no installation, Aurora Config
manage
runs as a sub process of Sigma Rules Agent
our service controller) Config

§ Manage Sigma rules and

updates of these rules
ASGARD
§ Deploy specific rule sets Analysis Cockpit receive
on groups of endpoints ETW

§ Manage the response

actions
Management in ASGARD

§ Comfortable Sigma rule

management
§ Enable / disable rules
§ Create rule sets for different asset groups
§ Manage updates of the rules
§ Identify changes in updated rules and
decide to deploy them
§ Define response actions, put them in
simulation mode or arm them
Action: Kill, Recursive

Explorer.exe Outlook.exe
Sigma Rule
Match

msEdge.exe processidfield: ParentProcessId

Winword.exe cmd.exe

recursive: true

Powershell.exe Vssadmin.exe
Affected Processes

odh1kd.exe
Action: Kill, Recursive, LowPrivOnly, Ancestors: All

Explorer.exe Outlook.exe
Sigma Rule
lowprivonly: true Match

msEdge.exe processidfield: ParentProcessId

recursive: true

Winword.exe cmd.exe

ancestors: all
recursive: true

Powershell.exe Vssadmin.exe
recursive: true

odh1kd.exe
Affected Processes