8. Modules

This chapter lists all modules included in the full version of Aurora.

8.1. Providers

Providers are modules that do not detect anything on their own. Instead, they provide events to consumers. Each consumer requests a list of log sources, which are passed to the providers. The providers then send the events from that log source to the consumers that requested it.

8.1.1. ETW Source

Starts an ETW session and registers for ETW providers to receive events from them.

8.1.2. ETW Kernel Source

Starts a SystemTraceProvider ETW session (see Microsoft's Documentation) and registers for System Providers to receive events from them.

8.1.3. Eventlog Source

Regularly polls event logs for new events.

8.1.4. Poll Handles

Regularly polls all handles on a system.

8.2. Consumers

Consumers contain detection and self-protection logic. They register for specific log sources that they require in order to work.

8.2.1. Cobalt Strike Beacon Hunter

Detects suspicious processes beaconing to remote systems based on certain communication patterns often found in C2 frameworks, especially Cobalt Strike.

8.2.2. LSASS Dump Detector

Generic detection of LSASS process dumping.

8.2.3. ETW Canary

A detector module that tries to detect tampering with the ETW channels. (self~defence mechanism)

8.2.4. Command Line Mismatch Detector

Detects process ghosting and similar process creation anomalies.

8.2.5. Process Tampering Detector

Detects privilege escalation to LOCAL_SYSTEM within a process context and PPL protection changes (e.g. MimiDrv process manipulation)

8.2.6. Temporary Driver Load Detector

Detects driver loading events in which a driver is loaded and quickly unloaded afterwards, which could be a sign of malicious activity.