10. Function Tests

There are easy ways to test Aurora and see if it matches suspicious / malicious events.

10.1. Sigma Matching

10.1.1. Sigma Matching - Process Creation

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>whoami /priv

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>certutil.exe -urlcache http://test.com

10.1.2. Sigma Matching - Network Communication

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a ALERT level message for a Sigma rule with level critical.

C:\Users\nextron>ping aaa.stage.123456.test.com

10.1.3. Sigma Matching - File Creation

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>echo "test" > %temp%\lsass.dmp

10.1.4. Sigma Matching - Process Access

Included in profiles: Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

PS C:\Users\nextron>$id = Get-Process lsass; rundll32.exe C:\Windows\System32\comsvcs.dll , MiniDump $id.Id $env:temp\lsass.dmp full

Cleanup:

C:\Users\nextron>del /f %temp%\lsass.dmp

10.1.5. Sigma Matching - Registry

Included in profiles: Intense

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /V "AuroraTest" /t REG_SZ /F /D "vbscript"

Cleanup:

C:\Users\nextron>reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /F

10.2. IOC Matching

Note

The Aurora Lite version uses only a very limited set of IOCs.

10.2.1. IOC Matching - Filenames

C:\Users\nextron>echo "test" > %temp%\loader.ps1

Cleanup:

C:\Users\nextron>del %temp%\loader.ps1

10.2.2. IOC Matching - C2

Warning

This could trigger an alert in your internal monitoring (old Sofacy C2)

C:\Users\nextron>ping drivres-update.info

10.2.3. IOC Matching - Hash

TBD

10.2.4. IOC Matching - NamedPipe

Start a named pipe using the following PowerShell commands:

PS C:\Users\nextron>$npipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('testPipe', [System.IO.Pipes.PipeDirection]::InOut)
PS C:\Users\nextron>$npipeServer.Close()

Included in profiles: Intense

10.2.5. IOC Matching - Mutex

Create a mutex using the following PowerShell commands:

PS C:\Users\nextron>$mtx = New-Object System.Threading.Mutex($true, "agony")

Matching might take some time (outside of the Intense profile) since mutexes are polled.

10.3. CommandLineMismatchDetector

Download Process Ghosting PoC release package named "proc_ghost.zip" by @hasherezade

Extract the package and then run:

C:\Users\nextron>proc_ghost.exe %comspec% c1.exe

Note

Only available in the full version (not Aurora Lite)