8. Function Tests

There are easy ways to test Aurora and see if it matches suspicious / malicious events.

8.1. Sigma Matching

8.1.1. Process Creation

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

whoami /priv

This should create a WARNING level message for a Sigma rule with level high.

certutil.exe -urlcache http://test.com

8.1.2. Network Communication

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a ALERT level message for a Sigma rule with level critical.

ping aaa.stage.123456.test.com

8.1.3. File Creation

Included in profiles: Minimal, Reduced, Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

echo "test" > %temp%\lsass.dmp

8.1.4. Process Access

Included in profiles: Standard, Intense

This should create a WARNING level message for a Sigma rule with level high.

$id = Get-Process lsass; rundll32.exe C:\Windows\System32\comsvcs.dll , MiniDump $id.Id $env:temp\lsass.dmp full

Cleanup:

del /f %temp%\lsass.dmp

8.1.5. Registry

Included in profiles: Intense

This should create a WARNING level message for a Sigma rule with level high.

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /V "AuroraTest" /t REG_SZ /F /D "vbscript"

Cleanup:

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AuroraTest" /F

8.2. IOC Matching

Note

The Aurora Lite version uses only a very limited set of IOCs.

8.2.1. Filenames

echo "test" > %temp%\loader.ps1

Cleanup:

del %temp%\loader.ps1

8.2.2. C2

Warning

This could trigger an alert in your internal monitoring (old Sofacy C2)

ping drivres-update.info

8.2.3. Hash

TDB

8.2.4. NamedPipe

Start a named pipe using the following PowerShell commands:

$npipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('testPipe', [System.IO.Pipes.PipeDirection]::InOut)
$npipeServer.Close()

Included in profiles: Intense

8.2.5. Mutex

Create a mutex using the following PowerShell commands:

$mtx = New-Object System.Threading.Mutex($true, "agony")

Matching might take some time (outside of the Intense profile) since mutexes are polled.

8.3. CommandLineMismatchDetector

Download Process Ghosting PoC release package named "proc_ghost.zip" by @hasherezade

Extract the package and then run:

proc_ghost.exe %comspec% c1.exe

Note

Only available in the full version (not Aurora Lite)