10. Aurora Agent Util
Aurora Agent Util provides utility functions that are not centered around the detection logic:
Updating Aurora and its signatures
Encrypting custom signatures
Excluding "noisy" processes
Creating a diagnostics pack with debugging information
10.1. Updating Aurora
There are two commands for Aurora Agent Util to update:
updateupdates Aurora's signatures. The program files are unaffected and will not be updated.
upgradeupgrades the Aurora fully, both program files and signatures.
Both commands only affect the directory that contains the executable unless
--restart-service is specified.
--restart-service requires Aurora to have been installed with
--install previously and will restart the service
to reload the updated files.
aurora-agent-util.exe update aurora-agent-util.exe upgrade --restart-service
10.2. Encrypting Signatures
You can encrypt your custom signatures (either IOCs or sigma rules) with the
to avoid them being flagged by an Antivirus
or to protect them from hostile reads on a potentially compromised system. Aurora will decrypt them at startup.
The encrypted versions of the passed signatures will be placed next to the unencrypted signatures, with a different extension.
Encrypted signatures can be passed to Aurora just like unencrypted ones: Via the
custom-signatures folder, or
by specifying them with
aurora-agent-util.exe encrypt path/to/my/sigmarule.yml path/to/my/other/sigmarule.yml
10.3. Excluding Processes
exclude command requires a running Aurora Agent. It will connect to that Agent for status information about
the processes that created the most events and will run a dialogue to comfortably add exclusions for some of these
10.4. Creating a Diagnostics Pack
diagnostics command creates a ZIP file with several files that can be analyzed by us in case of issues. If you encounter an issue, the first step is usually sending us this diagnostics pack along with a description of the issues.
The diagnostics pack includes the status output, service startup logs (if available) and memory profiles that can be analyzed with the help of pprof.