-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of https://github.com/NextronSystems/aurora-age…
- Loading branch information
Showing
33 changed files
with
2,172 additions
and
789 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
version: 2 | ||
|
||
# Set the OS, Python version and other tools you might need | ||
build: | ||
os: ubuntu-22.04 | ||
tools: | ||
python: "3.11" | ||
|
||
sphinx: | ||
configuration: conf.py | ||
|
||
formats: all | ||
|
||
python: | ||
install: | ||
- requirements: requirements.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Aurora Agent User Manual | ||
|
||
![aurora-architecture](https://user-images.githubusercontent.com/8741929/211800013-cae13bc9-ee00-4c06-95ae-91ee7891e54d.png) | ||
|
||
The `Aurora` Agent is a lightweight and customisable EDR agent based on Sigma. It uses Event Tracing for Windows (ETW) to recreate events that are very similar to the events generated by Microsoft’s Sysmon and applies Sigma rules and IOCs to them. AURORA complements the open Sigma standard with “response actions” that allow users to react to a Sigma match. | ||
It is everything that other EDRs aren’t. | ||
|
||
* It is completely transparent and fully customisable due to the open Sigma rule set and configuration files | ||
* It saves 99% of the network bandwidth and storage | ||
* It works completely on-premises, no data leaves your network | ||
* It can be configured to use only a limited amount of resources | ||
|
||
We offer an enterprise and a "Lite" version, which is free of charge. The free version uses only the open source rule set, lacks comfort features and a central management. | ||
|
||
## Getting Started | ||
|
||
To sart using `Aurora`, simply visit the official website [here](https://www.nextron-systems.com/aurora/#get-aurora) and request your copy. | ||
|
||
Documentation with instruction on how to install and use the agent can be found [here](https://aurora-agent-manual.nextron-systems.com/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
Event ID;Description | ||
100;A license file was found. | ||
101;Status message (from ``--report-stats``) | ||
102;Aurora Agent started. | ||
103;Aurora Agent is terminating. | ||
104;The current license expired. | ||
105;No valid license file was found. | ||
107;A process created a large amount of events. | ||
108;An internal panic occurred. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
Event ID;Module | ||
200;BeaconHunter | ||
300;Lsass Dump Detector | ||
400;ETW Canary | ||
500;Process Tampering Detector | ||
600;Temporary Driver Load Detector | ||
700;Command Line Mismatch Detector | ||
800;Event Distributor | ||
900;ETW Provider | ||
1000;Eventlog Provider | ||
1100;Handle Polling Provider | ||
1200;Resource Control | ||
1301;Filename IOC Match Found |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
Event ID;Description | ||
1;A **process creation** Sigma rule matched. | ||
2;A **set file creation time** sigma rule matched. | ||
3;A **network connection** sigma rule matched. | ||
4;A **sysmon status** Sigma rule matched. | ||
5;A **process termination** Sigma rule matched. | ||
6;A **driver loaded** Sigma rule matched. | ||
7;An **image loaded** Sigma rule matched. | ||
8;A **create remote thread** Sigma rule matched. | ||
9;A **raw disk access** Sigma rule matched. | ||
10;A **process access** Sigma rule matched. | ||
11;A **file creation** Sigma rule matched. | ||
12;A **registry event** Sigma rule matched. | ||
15;A **create stream hash** Sigma rule matched. | ||
17;A **pipe event** Sigma rule matched. | ||
19;A **WMI event** Sigma rule matched. | ||
12;A **registry event** Sigma rule matched. | ||
22;A **DNS query** Sigma rule matched. | ||
23;A **file deletion** Sigma rule matched. | ||
95;An error occurred while loading the Sigma rules. | ||
96;Sigma rules were reloaded. | ||
97;No Sigma rule files were found. | ||
98;Unspecified log message from Sigma module. | ||
99;Another Sigma rule (that did not belong to one of the above categories) matched. | ||
6000;A response for a sigma match was executed. | ||
6001;A response for a sigma match was simulated. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
C:\Program Files\Aurora Agent>aurora-agent-64.exe --status --trace | ||
Aurora Agent | ||
Version: 0.9.9 | ||
Build Revision: 9280d44aef722 | ||
Signature Revision: 2022/03/25-161029 | ||
Sigma Revision: 0.20-3393-g952f14d8 | ||
Status: running | ||
Uptime (in hours): 0 | ||
|
||
Active Outputs: | ||
Windows Application Eventlog: enabled | ||
|
||
Resource Usage: | ||
CPU Cores: 2 | ||
Total Memory: 4.00GB | ||
Used Memory: 2.65GB | ||
Used by Aurora: 346.47MB | ||
|
||
Log Messages: | ||
Errors: 0 | ||
Alerts: 0 | ||
Warnings: 6 | ||
Notices: 13 | ||
|
||
Active Modules: LsassDumpDetector, BeaconHunter, EtwCanary, CommandLineMismatchDetector, ProcessTamperingDetector, TemporaryDriverLoadDetector, ApplyIOCs, Rescontrol, Sigma, ETWSource, ETWKernelSource, EventlogSource, PollHandles | ||
|
||
Rule Statistics: | ||
Rule paths: C:\Program Files\Aurora-Agent\signatures\sigma-rules, C:\Program Files\Aurora-Agent\custom-signatures | ||
Loaded rules: 1299 | ||
custom: 2 | ||
private: 18 | ||
public: 1279 | ||
Rule reloads: 0 | ||
Responses: 0 | ||
Process dump path: C:\Program Files\Aurora-Agent\process-dumps | ||
|
||
Loaded IOCs: | ||
Domain IOCs: 8425 | ||
internal: 8425 | ||
Filename IOCs: 6894 | ||
internal: 6894 | ||
Handle IOCs: 581 | ||
internal: 581 | ||
Hash IOCs: 8448 | ||
custom: 1 | ||
internal: 8447 | ||
Namedpipe IOCs: 100 | ||
internal: 100 | ||
|
||
Event Statistics: | ||
Events observed so far: 4003363 | ||
By source: | ||
1432318 events from PollHandles | ||
1108254 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_CREATE | ||
872554 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_FILEIO?eventids=14 | ||
353165 events from WinEventLog:Microsoft-Windows-Sysmon/Operational | ||
162140 events from WinEventLog:Microsoft-Windows-Kernel-Audit-API-Calls | ||
30112 events from WinEventLog:Microsoft-Windows-Kernel-Process/WINEVENT_KEYWORD_IMAGE | ||
15275 events from WinEventLog:Microsoft-Windows-Kernel-Process/WINEVENT_KEYWORD_THREAD | ||
8113 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_DELETE_PATH | ||
4738 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_CREATE_NEW_FILE | ||
4717 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH | ||
3826 events from WinEventLog:Microsoft-Windows-DNS-Client | ||
3558 events from WinEventLog:Microsoft-Windows-TCPIP/ut:ConnectPath | ||
1302 events from SystemLogger:Process | ||
1236 events from WinEventLog:Security | ||
756 events from WinEventLog:Microsoft-Windows-TaskScheduler/Operational | ||
639 events from WinEventLog:Microsoft-Windows-Kernel-Process/WINEVENT_KEYWORD_PROCESS | ||
257 events from WinEventLog:Microsoft-Windows-WinINet/WININET_KEYWORD_HANDLES | ||
127 events from WinEventLog:{fbb4fbaa-2ae9-5b86-6d76-09930a11a03d}?fromownpid=1 | ||
120 events from WinEventLog:System | ||
57 events from WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | ||
27 events from WinEventLog:Microsoft-Windows-WMI-Activity/Operational | ||
25 events from WinEventLog:Microsoft-Windows-PowerShell | ||
23 events from WinEventLog:Application | ||
8 events from WinEventLog:Windows PowerShell | ||
6 events from WinEventLog:Microsoft-Windows-Kernel-PnP/DriverLoad | ||
5 events from WinEventLog:Microsoft-Windows-Windows Defender/Operational | ||
4 events from WinEventLog:Microsoft-Windows-Kernel-PnP/DriverUnload | ||
1 events from WinEventLog:Microsoft-Windows-SmbClient/Security | ||
By process: | ||
1146976 events from C:\Windows\System32\svchost.exe | ||
875516 events from C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\MsMpEng.exe | ||
519059 events from C:\Windows\Sysmon64.exe | ||
142271 events from C:\Windows\System32\RuntimeBroker.exe | ||
110926 events from C:\Windows\explorer.exe | ||
108878 events from System | ||
99896 events from C:\Users\neo\Downloads\ProcessExplorer\procexp64.exe | ||
77899 events from C:\Users\neo\AppData\Local\Programs\Microsoft VS Code\Code.exe | ||
64256 events from C:\aurora-beta\aurora-agent-util.exe | ||
... | ||
|
||
False positive filters: 0 | ||
Process excludes: 0 | ||
|
||
Events missed so far: 0 | ||
Sigma matches: 28 | ||
Whoami Execution: 12 | ||
Run Whoami Showing Privileges: 9 | ||
Suspicious WSMAN Provider Image Loads: 4 | ||
New TaskCache Entry: 2 | ||
Run Once Task Configuration in Registry: 1 | ||
Suppressed Sigma matches of those: 9 | ||
Whoami Execution: 6 | ||
Run Whoami Showing Privileges: 3 | ||
|
||
Response Actions: disabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
C:\Program Files\Aurora Agent>aurora-agent-64.exe --status | ||
Aurora Agent | ||
Version: 0.1.6 | ||
Build Revision: 5fef68a1 | ||
Sigma Revision: 0.20-1884-ga4a26540 | ||
Status: running | ||
Uptime (in hours): 0 | ||
|
||
Active Outputs: | ||
Eventlog: enabled | ||
Stdout: enabled | ||
|
||
Rule Statistics: | ||
Loaded rules: 734 | ||
Number of rule reloads: 0 | ||
|
||
Event Statistics: | ||
Events observed so far: 89419 | ||
Events lost so far: 0 | ||
Sigma matches: 4 | ||
Suppressed Sigma matches of those: 0 | ||
|
||
Response Actions: disabled |
Oops, something went wrong.