Merge branch 'master' of https://github.com/NextronSystems/aurora-age…

…nt-manual

.readthedocs.yaml

@@ -0,0 +1,16 @@
+version: 2
+
+# Set the OS, Python version and other tools you might need
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+sphinx:
+  configuration: conf.py
+
+formats: all
+
+python:
+  install:
+  - requirements: requirements.txt

README.md

@@ -0,0 +1,19 @@
+# Aurora Agent User Manual
+
+![aurora-architecture](https://user-images.githubusercontent.com/8741929/211800013-cae13bc9-ee00-4c06-95ae-91ee7891e54d.png)
+
+The `Aurora` Agent is a lightweight and customisable EDR agent based on Sigma. It uses Event Tracing for Windows (ETW) to recreate events that are very similar to the events generated by Microsoft’s Sysmon and applies Sigma rules and IOCs to them. AURORA complements the open Sigma standard with “response actions” that allow users to react to a Sigma match.
+It is everything that other EDRs aren’t.
+
+* It is completely transparent and fully customisable due to the open Sigma rule set and configuration files
+* It saves 99% of the network bandwidth and storage
+* It works completely on-premises, no data leaves your network
+* It can be configured to use only a limited amount of resources
+
+We offer an enterprise and a "Lite" version, which is free of charge. The free version uses only the open source rule set, lacks comfort features and a central management.
+
+## Getting Started
+
+To sart using `Aurora`, simply visit the official website [here](https://www.nextron-systems.com/aurora/#get-aurora) and request your copy.
+
+Documentation with instruction on how to install and use the agent can be found [here](https://aurora-agent-manual.nextron-systems.com/).

_static/css/custom.css

@@ -1,11 +1,15 @@
 .wy-side-nav-search {
-    background-color: #31e3e8;
+    background-color: #343131;
 }
 
 .wy-menu-vertical header, .wy-menu-vertical p.caption {
     color: #1f8b8e;
 }
 
+.wy-table-responsive table td, .wy-table-responsive table th {
+    white-space: normal;
+}
+
 .rst-versions a {
     color: #1f8b8e;
 }
@@ -37,4 +41,4 @@ a:hover {
 
 code {
     width: 400px;
-}
+}

conf.py

@@ -39,11 +39,11 @@
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'sphinx.ext.intersphinx',
-    'sphinx.ext.autosectionlabel'
+    'sphinx.ext.autosectionlabel',
+    'sphinx_rtd_theme'
 ]
 
-suppress_warnings = ['autosectionlabel.*']
+#suppress_warnings = ['autosectionlabel.*']
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -62,7 +62,7 @@
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
@@ -80,6 +80,14 @@
 #
 html_theme = 'sphinx_rtd_theme'
 
+html_theme_options = {
+    'prev_next_buttons_location': 'both',
+    'style_external_links': True
+}
+
+html_logo = "images/html/aurora-logo.png"
+html_favicon = "images/html/favicon.ico"
+
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
@@ -114,57 +122,6 @@
 htmlhelp_basename = 'Aurora Agent User Manual'
 
 
-# -- Options for LaTeX output ------------------------------------------------
-
-latex_elements = {
-    # The paper size ('letterpaper' or 'a4paper').
-    #
-    # 'papersize': 'letterpaper',
-
-    # The font size ('10pt', '11pt' or '12pt').
-    #
-    # 'pointsize': '10pt',
-
-    # Additional stuff for the LaTeX preamble.
-    #
-    # 'preamble': '',
-
-    # Latex figure (float) alignment
-    #
-    # 'figure_align': 'htbp',
-}
-
-# Grouping the document tree into LaTeX files. List of tuples
-# (source start file, target name, title,
-#  author, documentclass [howto, manual, or own class]).
-latex_documents = [
-    (master_doc, 'THORUtilManual.tex', 'THOR Util Manual Documentation',
-     'Nextron Systems GmbH', 'manual'),
-]
-
-
-# -- Options for manual page output ------------------------------------------
-
-# One entry per manual page. List of tuples
-# (source start file, name, description, authors, manual section).
-man_pages = [
-    (master_doc, 'thorutilmanual', 'THOR Util Manual Documentation',
-     [author], 1)
-]
-
-
-# -- Options for Texinfo output ----------------------------------------------
-
-# Grouping the document tree into Texinfo files. List of tuples
-# (source start file, target name, title, author,
-#  dir menu entry, description, category)
-texinfo_documents = [
-    (master_doc, 'AuroraAgentManual', 'Aurora Agent Documentation',
-     author, 'AuroraAgentManual', 'Aurora Agent User Manual',
-     'Miscellaneous'),
-]
-
-
 # -- Options for Epub output -------------------------------------------------
 
 # Bibliographic Dublin Core info.
@@ -187,3 +144,6 @@
 
 # Enable -- to -
 smartquotes = False
+
+autosectionlabel_prefix_document = True
+autosectionlabel_maxdepth = 4

csv/internal-event-ids.csv

@@ -0,0 +1,9 @@
+Event ID;Description
+100;A license file was found.
+101;Status message (from ``--report-stats``)
+102;Aurora Agent started.
+103;Aurora Agent is terminating.
+104;The current license expired.
+105;No valid license file was found.
+107;A process created a large amount of events.
+108;An internal panic occurred.

csv/other-event-ids.csv

@@ -0,0 +1,13 @@
+Event ID;Module
+200;BeaconHunter
+300;Lsass Dump Detector
+400;ETW Canary
+500;Process Tampering Detector
+600;Temporary Driver Load Detector
+700;Command Line Mismatch Detector
+800;Event Distributor
+900;ETW Provider
+1000;Eventlog Provider
+1100;Handle Polling Provider
+1200;Resource Control
+1301;Filename IOC Match Found

csv/sigma-related-event-ids.csv

@@ -0,0 +1,26 @@
+Event ID;Description
+1;A **process creation** Sigma rule matched.
+2;A **set file creation time** sigma rule matched.
+3;A **network connection** sigma rule matched.
+4;A **sysmon status** Sigma rule matched.
+5;A **process termination** Sigma rule matched.
+6;A **driver loaded** Sigma rule matched.
+7;An **image loaded** Sigma rule matched.
+8;A **create remote thread** Sigma rule matched.
+9;A **raw disk access** Sigma rule matched.
+10;A **process access** Sigma rule matched.
+11;A **file creation** Sigma rule matched.
+12;A **registry event** Sigma rule matched.
+15;A **create stream hash** Sigma rule matched.
+17;A **pipe event** Sigma rule matched.
+19;A **WMI event** Sigma rule matched.
+12;A **registry event** Sigma rule matched.
+22;A **DNS query** Sigma rule matched.
+23;A **file deletion** Sigma rule matched.
+95;An error occurred while loading the Sigma rules.
+96;Sigma rules were reloaded.
+97;No Sigma rule files were found.
+98;Unspecified log message from Sigma module.
+99;Another Sigma rule (that did not belong to one of the above categories) matched.
+6000;A response for a sigma match was executed.
+6001;A response for a sigma match was simulated.

examples/faq-status-trace

@@ -0,0 +1,107 @@
+C:\Program Files\Aurora Agent>aurora-agent-64.exe --status --trace
+Aurora Agent
+Version: 0.9.9
+Build Revision: 9280d44aef722
+Signature Revision: 2022/03/25-161029
+Sigma Revision: 0.20-3393-g952f14d8
+Status: running
+Uptime (in hours): 0
+
+Active Outputs:
+Windows Application Eventlog: enabled
+
+Resource Usage:
+CPU Cores: 2
+Total Memory: 4.00GB
+Used Memory: 2.65GB
+Used by Aurora: 346.47MB
+
+Log Messages:
+Errors: 0
+Alerts: 0
+Warnings: 6
+Notices: 13
+
+Active Modules: LsassDumpDetector, BeaconHunter, EtwCanary, CommandLineMismatchDetector, ProcessTamperingDetector, TemporaryDriverLoadDetector, ApplyIOCs, Rescontrol, Sigma, ETWSource, ETWKernelSource, EventlogSource, PollHandles
+
+Rule Statistics:
+Rule paths: C:\Program Files\Aurora-Agent\signatures\sigma-rules, C:\Program Files\Aurora-Agent\custom-signatures
+Loaded rules: 1299
+        custom: 2
+        private: 18
+        public: 1279
+Rule reloads: 0
+Responses: 0
+Process dump path: C:\Program Files\Aurora-Agent\process-dumps
+
+Loaded IOCs:
+Domain IOCs: 8425
+        internal: 8425
+Filename IOCs: 6894
+        internal: 6894
+Handle IOCs: 581
+        internal: 581
+Hash IOCs: 8448
+        custom: 1
+        internal: 8447
+Namedpipe IOCs: 100
+        internal: 100
+
+Event Statistics:
+Events observed so far: 4003363
+By source:
+        1432318 events from PollHandles
+        1108254 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_CREATE
+        872554 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_FILEIO?eventids=14
+        353165 events from WinEventLog:Microsoft-Windows-Sysmon/Operational
+        162140 events from WinEventLog:Microsoft-Windows-Kernel-Audit-API-Calls
+        30112 events from WinEventLog:Microsoft-Windows-Kernel-Process/WINEVENT_KEYWORD_IMAGE
+        15275 events from WinEventLog:Microsoft-Windows-Kernel-Process/WINEVENT_KEYWORD_THREAD
+        8113 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_DELETE_PATH
+        4738 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_CREATE_NEW_FILE
+        4717 events from WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH
+        3826 events from WinEventLog:Microsoft-Windows-DNS-Client
+        3558 events from WinEventLog:Microsoft-Windows-TCPIP/ut:ConnectPath
+        1302 events from SystemLogger:Process
+        1236 events from WinEventLog:Security
+        756 events from WinEventLog:Microsoft-Windows-TaskScheduler/Operational
+        639 events from WinEventLog:Microsoft-Windows-Kernel-Process/WINEVENT_KEYWORD_PROCESS
+        257 events from WinEventLog:Microsoft-Windows-WinINet/WININET_KEYWORD_HANDLES
+        127 events from WinEventLog:{fbb4fbaa-2ae9-5b86-6d76-09930a11a03d}?fromownpid=1
+        120 events from WinEventLog:System
+        57 events from WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+        27 events from WinEventLog:Microsoft-Windows-WMI-Activity/Operational
+        25 events from WinEventLog:Microsoft-Windows-PowerShell
+        23 events from WinEventLog:Application
+        8 events from WinEventLog:Windows PowerShell
+        6 events from WinEventLog:Microsoft-Windows-Kernel-PnP/DriverLoad
+        5 events from WinEventLog:Microsoft-Windows-Windows Defender/Operational
+        4 events from WinEventLog:Microsoft-Windows-Kernel-PnP/DriverUnload
+        1 events from WinEventLog:Microsoft-Windows-SmbClient/Security
+By process:
+        1146976 events from C:\Windows\System32\svchost.exe
+        875516 events from C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\MsMpEng.exe
+        519059 events from C:\Windows\Sysmon64.exe
+        142271 events from C:\Windows\System32\RuntimeBroker.exe
+        110926 events from C:\Windows\explorer.exe
+        108878 events from System
+        99896 events from C:\Users\neo\Downloads\ProcessExplorer\procexp64.exe
+        77899 events from C:\Users\neo\AppData\Local\Programs\Microsoft VS Code\Code.exe
+        64256 events from C:\aurora-beta\aurora-agent-util.exe
+        ...
+
+False positive filters: 0
+Process excludes: 0
+
+Events missed so far: 0
+Sigma matches: 28
+Whoami Execution: 12
+Run Whoami Showing Privileges: 9
+Suspicious WSMAN Provider Image Loads: 4
+New TaskCache Entry: 2
+Run Once Task Configuration in Registry: 1
+Suppressed Sigma matches of those: 9
+Whoami Execution: 6
+Run Whoami Showing Privileges: 3
+
+Response Actions: disabled

examples/status

@@ -0,0 +1,23 @@
+C:\Program Files\Aurora Agent>aurora-agent-64.exe --status
+Aurora Agent
+Version: 0.1.6
+Build Revision: 5fef68a1
+Sigma Revision: 0.20-1884-ga4a26540
+Status: running
+Uptime (in hours): 0
+
+Active Outputs:
+Eventlog: enabled
+Stdout: enabled
+
+Rule Statistics:
+Loaded rules: 734
+Number of rule reloads: 0
+
+Event Statistics:
+Events observed so far: 89419
+Events lost so far: 0
+Sigma matches: 4
+Suppressed Sigma matches of those: 0
+
+Response Actions: disabled