This chapter lists all modules included in the full version of Aurora.
Providers are modules that do not detect anything on their own. Instead, they provide events to consumers. Each consumer requests a list of log sources, which are passed to the providers. The providers then send the events from that log source to the consumers that requested it.
9.1.1. ETW Source
Starts an ETW session and registers for ETW providers to receive events from them.
9.1.2. ETW Kernel Source
Starts a SystemTraceProvider ETW session (see Microsoft's Documentation) and registers for System Providers to receive events from them.
9.1.3. Eventlog Source
Regularly polls event logs for new events.
9.1.4. Poll Handles
Regularly polls all handles on a system.
Consumers contain detection and self-protection logic. They register for specific log sources that they require in order to work.
9.2.1. Cobalt Strike Beacon Hunter
Detects suspicious processes beaconing to remote systems based on certain communication patterns often found in C2 frameworks, especially Cobalt Strike.
9.2.2. LSASS Dump Detector
Generic detection of LSASS process dumping.
9.2.3. ETW Canary
A detector module that tries to detect tampering with the ETW channels. (self defense mechanism)
9.2.4. Command Line Mismatch Detector
Detects process ghosting and similar process creation anomalies.
9.2.5. Process Tampering Detector
Detects privilege escalation to LOCAL_SYSTEM within a process context and PPL protection changes (e.g. MimiDrv process manipulation)
9.2.6. Temporary Driver Load Detector
Detects driver loading events in which a driver is loaded and quickly unloaded afterwards, which could be a sign of malicious activity.