11. Custom Signatures and IOCs
11.1. Management using ASGARD
ASGARD Management Center allows you to create rule sets of sigma rules and apply hem to groups of end systems. It also features a "difference view" that shows you rules that have changed in the remote Sigma repository and allows you to accept or deny the changes. It also provides ways to filter false positives right at the source.
Signature updates and Aurora upgrades can be executed for all end points from the Management Center.
The rule management is described in more detail in this section of the ASGARD Management Center manual.
11.2. Manual signature management
Signatures can be specified when starting Aurora using the --rules-path and
--ioc-path parameters. These parameters default to the built-in rules and IOCs at
signatures\sigma-rules and signatures\iocs and the provided paths for
custom signatures at custom-signatures\sigma-rules and custom-signatures\iocs respectively.
Aurora traverses the directories that are specified with these parameters recursively
and initializes all signature files it finds.
In order to add new sigma rules or IOCs, you can either:
Add them to the corresponding subfolder in custom-signatures
Specify the folder where they are located using
--rules-pathor--ioc-path
Warning
If you specify --rules-path or --ioc-path, if you want to use the Aurora built-in rules and IOCs,
you need to add them manually as well. E.g.:
C:\Program Files\Aurora-Agent>aurora-agent.exe --install --rules-path .\signatures\sigma-rules --rules-path .\my-rules
If paths are configured, only the configured paths are used.
11.2.1. Signature format
IOCs follow the same format that THOR IOCs do; the full description can be found in the THOR manual.
Sigma rules must adhere to the specification found in the Sigma repository.
11.2.2. Encrypted signatures
Both IOCs and sigma rules can be encrypted using the encrypt function
in Aurora Agent Util. Aurora will automatically decrypt encrypted signatures at startup.
This functionality is only available in the full version of Aurora.
11.3. Signature Application
11.3.1. Sigma rules
Sigma rules must contain a logsource element which (indirectly) determines on which events the sigma rule is applied.
Aurora utilizes a number of log sources which map between these logsource elements and the actual sources.
The log source definitions which can be found in the log-sources folder. Rules
are applied on every log source which has a matching logsource definition.
- Log sources may also utilize:
conditionsto filter events from the given sourcesfieldmappingsto rename specific fields in the events that occur. This is useful to have all events with the samelogsourceappear to have the same fields, even if the underlying sources and field names differ.rewriteto reference each other.rewriteis meant to be used in combination with the other elements: For example, Sysmon events are split into different categories usingconditionsandrewrite.
11.3.2. IOCs
11.3.2.1. Hashes
Hash IOCs are applied to:
Process creation events
Image load events
Driver load events
11.3.2.2. Filenames
Filename IOCs are applied to:
Process creation events
Image load events
File creation events
Handle events that reference files
Driver load events
11.3.2.3. C2
C2 IOCs are applied to:
DNS query events
TCP connection events
11.3.2.4. Named Pipe
Named Pipe IOCs are applied to handle events that reference named pipes.
11.3.2.5. Handle
Handle IOCs (which include mutex and event IOCs) are applied to handle events.