12. Aurora Agent Util
Aurora Agent Util provides utility functions that are not centered around the detection logic:
Updating Aurora and its signatures
Encrypting custom signatures
Excluding "noisy" processes
Creating a diagnostics pack with debugging information
12.1. Updating Aurora
There are two commands for Aurora Agent Util to update:
update
updates Aurora's signatures. The program files are unaffected and will not be updated.
upgrade
upgrades the Aurora fully, both program files and signatures.
Both commands only affect the directory that contains the executable unless --restart-service
is specified.
--restart-service
requires Aurora to have been installed with --install
previously and will restart the service
to reload the updated files.
Examples:
C:\Program Files\Aurora-Agent>aurora-agent-util.exe update
C:\Program Files\Aurora-Agent>aurora-agent-util.exe upgrade --restart-service
12.2. Encrypting Signatures
You can encrypt your custom signatures (either IOCs or sigma rules) with the encrypt
command
to avoid them being flagged by an Antivirus
or to protect them from hostile reads on a potentially compromised system. Aurora will decrypt them at startup.
The encrypted versions of the passed signatures will be placed next to the unencrypted signatures, with a different extension.
Encrypted signatures can be passed to Aurora just like unencrypted ones: Via the custom-signatures
folder, or
by specifying them with --rules-path
/ --ioc-path
.
Examples:
C:\Program Files\Aurora-Agent>aurora-agent-util.exe encrypt path/to/my/sigmarule.yml path/to/my/other/sigmarule.yml
12.3. Excluding Processes
The exclude
command requires a running Aurora Agent. It will connect to that Agent for status information about
the processes that created the most events and will run a dialogue to comfortably add exclusions for some of these
processes.
Examples:
C:\Program Files\Aurora-Agent>aurora-agent-util.exe exclude
This function is just a more comfortable alternative to adding the exclusions manually in the respective Process Exclusions file.
12.4. Creating a Diagnostics Pack
The diagnostics
command creates a ZIP file with several files that can be analyzed
by us in case of issues. If you encounter an issue, the first step is usually sending
us this diagnostics pack along with a description of the issues.
Examples:
C:\Program Files\Aurora-Agent>aurora-agent-util.exe diagnostics
The diagnostics pack includes the status output, service startup logs (if available) and memory profiles that can be analyzed with the help of pprof.