10. Function Tests
There are easy ways to test Aurora and see if it matches suspicious / malicious events.
10.1. Sigma Matching
10.1.1. Sigma Matching - Process Creation
Included in profiles: Minimal, Reduced, Standard, Intense
This should create a WARNING
level message for a Sigma rule with level high
.
C:\Users\nextron>whoami /priv
This should create a WARNING
level message for a Sigma rule with level high
.
C:\Users\nextron>certutil.exe -urlcache http://test.com
10.1.2. Sigma Matching - Network Communication
Included in profiles: Minimal, Reduced, Standard, Intense
This should create a ALERT
level message for a Sigma rule with level critical
.
C:\Users\nextron>ping aaa.stage.123456.test.com
10.1.3. Sigma Matching - File Creation
Included in profiles: Minimal, Reduced, Standard, Intense
This should create a WARNING
level message for a Sigma rule with level high
.
C:\Users\nextron>echo "test" > %temp%\lsass.dmp
10.1.4. Sigma Matching - Process Access
Included in profiles: Standard, Intense
This should create a WARNING
level message for a Sigma rule with level high
.
PS C:\Users\nextron>$id = Get-Process lsass; rundll32.exe C:\Windows\System32\comsvcs.dll , MiniDump $id.Id $env:temp\lsass.dmp full
Cleanup:
C:\Users\nextron>del /f %temp%\lsass.dmp
10.1.5. Sigma Matching - Registry
Included in profiles: Intense
This should create a WARNING
level message for a Sigma rule with level high
.
C:\Users\nextron>reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /V "AuroraTest" /t REG_SZ /F /D "vbscript"
Cleanup:
C:\Users\nextron>reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /F
10.2. IOC Matching
Note
The Aurora Lite version uses only a very limited set of IOCs.
10.2.1. IOC Matching - Filenames
C:\Users\nextron>echo "test" > %temp%\loader.ps1
Cleanup:
C:\Users\nextron>del %temp%\loader.ps1
10.2.2. IOC Matching - C2
Warning
This could trigger an alert in your internal monitoring (old Sofacy C2)
C:\Users\nextron>ping drivres-update.info
10.2.3. IOC Matching - Hash
TBD
10.2.4. IOC Matching - NamedPipe
Start a named pipe using the following PowerShell commands:
PS C:\Users\nextron>$npipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('testPipe', [System.IO.Pipes.PipeDirection]::InOut)
PS C:\Users\nextron>$npipeServer.Close()
Included in profiles: Intense
10.2.5. IOC Matching - Mutex
Create a mutex using the following PowerShell commands:
PS C:\Users\nextron>$mtx = New-Object System.Threading.Mutex($true, "agony")
Matching might take some time (outside of the Intense profile) since mutexes are polled.
10.3. CommandLineMismatchDetector
Download Process Ghosting PoC release package
named "proc_ghost.zip" by @hasherezade
Extract the package and then run:
C:\Users\nextron>proc_ghost.exe %comspec% c1.exe
Note
Only available in the full version (not Aurora Lite)