3. Installation
3.1. Requirements
Aurora runs on Windows 7 or newer and requires administrative privileges.
Other OS (Linux or macOS) are not supported.
3.1.1. Supported
Windows 7 x86 / x64
Windows Server 2008 R2 x64
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022
3.1.2. Define an Antivirus / EDR Exclusion
It is recommended to exclude Aurora from your Antivirus / EDR solution.
Depending on your architecture and whether Aurora was installed or started interactively from a temporary directory, the exclusion paths are:
For an installed Aurora
C:\Program Files\Aurora-Agent\aurora-agent-64.exe
C:\Program Files\Aurora-Agent\aurora-agent.exe
For a interactively started Aurora the path you have used for extraction. For example:
C:\aurora\aurora-agent-64.exe
C:\aurora\aurora-agent.exe
3.2. Quick Start
Extract the program package into a temporary folder (e.g.
C:\aurora
)Make sure to place the
*.lic
file into the extracted folderStart a cmd.exe as administrator
Navigate to the extracted folder
Run the following command
C:\aurora>aurora-agent.exe --install
Verify that new events arrived in the local "Application" event log (Event Viewer)
Run the following commands to get details on the current status of the agent
C:\aurora>aurora-agent.exe --status
C:\aurora>aurora-agent.exe --status --trace
3.3. Manual installation
3.3.1. Install Aurora
You can install the agent using the following command line from command line terminal that has been started "As Administrator".
C:\aurora>aurora-agent.exe --install
After the installation the agent, configuration files and rules reside in C:\Program Files\Aurora Agent\
.
It automatically copies all rule files located in the sub-folders signatures\sigma-rules
and custom-signatures
.
The signatures\sigma-rules
folder contains the current open source rule set maintained
in the Sigma repository.
The custom-signatures
folder can be used to add your own sigma rules.
Aurora comes with with 4 configuration presets that we encourage you to explore and use:
Standard (
agent-config-standard.yml
)Reduced (
agent-config-reduced.yml
)Minimal (
agent-config-minimal.yml
)Intense (
agent-config-intense.yml
)
The different presets are explained in more detail in the chapter Configuration.
An installation that uses the preset named "reduced" would look like this:
C:\aurora>aurora-agent.exe --install -c agent-config-reduced.yml
3.3.2. Custom Settings
Adding your own Sigma rules or IOCs is described in chapter Custom Signatures and IOCs.
The preferred way is to add them to the custom-signatures
folder before you install Aurora.
All the flags that you use after --install
get written to the configuration file
named agent-config.yml
in the C:\Program Files\Aurora Agent\
folder and will be used by the service.
A typical command to install Aurora would look like this
C:\aurora>aurora-agent.exe --install --activate-responses
3.3.3. Uninstall Aurora
To uninstall the agent simply run the following command:
C:\Program Files\Aurora-Agent>aurora-agent.exe --uninstall
If the uninstaller fails due to unknown errors, you can uninstall Aurora manually with these commands (Run from an administrative shell)
C:\Users\nextron>sc stop aurora-agent
C:\Users\nextron>sc delete aurora-agent
C:\Users\nextron>rmdir /s /q "C:\Program Files\Aurora-Agent"
C:\Users\nextron>schtasks /Delete /F /TN aurora-agent-program-update
C:\Users\nextron>schtasks /Delete /F /TN aurora-agent-signature-update
3.4. Installation using ASGARD
When using ASGARD Management Center, Aurora can be installed using the Service Control
tab;
see the relevant chapter in the ASGARD manual
for details.