9. Function Tests

There are easy ways to test Aurora and see if it matches suspicious / malicious events.

9.1. Sigma Matching

9.1.1. Process Creation

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>whoami /priv

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>certutil.exe -urlcache http://test.com

9.1.2. Network Communication

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a ALERT level message for a Sigma rule with level critical.

C:\Users\nextron>ping aaa.stage.123456.test.com

9.1.3. File Creation

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>echo "test" > %temp%\lsass.dmp

9.1.4. Process Access

Included in profiles: Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

PS C:\Users\nextron>$id = Get-Process lsass; rundll32.exe C:\Windows\System32\comsvcs.dll , MiniDump $id.Id $env:temp\lsass.dmp full

Cleanup:

C:\Users\nextron>del /f %temp%\lsass.dmp

9.1.5. Registry

Included in profiles: Intense

This should create a WARNING level message for a Sigma rule with level high.

C:\Users\nextron>reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /V "AuroraTest" /t REG_SZ /F /D "vbscript"

Cleanup:

C:\Users\nextron>reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /F

9.2. IOC Matching

Note

The Aurora Lite version uses only a very limited set of IOCs.

9.2.1. Filenames

C:\Users\nextron>echo "test" > %temp%\loader.ps1

Cleanup:

C:\Users\nextron>del %temp%\loader.ps1

9.2.2. C2

Warning

This could trigger an alert in your internal monitoring (old Sofacy C2)

C:\Users\nextron>ping drivres-update.info

9.2.3. Hash

TDB

9.2.4. NamedPipe

Start a named pipe using the following PowerShell commands:

PS C:\Users\nextron>$npipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('testPipe', [System.IO.Pipes.PipeDirection]::InOut)
PS C:\Users\nextron>$npipeServer.Close()

Included in profiles: Intense

9.2.5. Mutex

Create a mutex using the following PowerShell commands:

PS C:\Users\nextron>$mtx = New-Object System.Threading.Mutex($true, "agony")

Matching might take some time (outside of the Intense profile) since mutexes are polled.

9.3. CommandLineMismatchDetector

Download Process Ghosting PoC release package named "proc_ghost.zip" by @hasherezade

Extract the package and then run:

C:\Users\nextron>proc_ghost.exe %comspec% c1.exe

Note

Only available in the full version (not Aurora Lite)