13. Known Issues

13.1. x86 Version doesn't start

The EtwCanary module is broken and doesn't work on x86 systems. You won't get an appropriate error message. The agent just crashes silently on Windows x86 systems.

13.1.1. Status

Fixed in build 4a34c345

13.2. Rules that use "Provider_Name" don't match

Sigma rules that use the field Provider_Name, e.g. the rule Eventlog Cleared (UUID: d99b79d2-0a6f-4f46-ad8b-260b6e17f982) that looks for EventID 1102 and a certain provider name couldn't match because Aurora uses Provider.Name internally.

13.2.1. Status

Fixed in build 06b7d44d (07.01.2022)

13.3. Rule: "Rundll32 Internet Connection" Misses CommandLine Field

Matches with the rule "Rundll32 Internet Connection" currently miss a CommandLine field. Adding that field to the rule is already on our list of features.

13.4. Missing Self-Defense

Folder permission checks
ETW manipulations (the ETW canary module already covers some of them)
Warning events on configuration changes