3. Usage

This chapter explains some more frequently used command line options used by Aurora in more detail.

3.1. Run Aurora

If you simply run Aurora in your terminal, it'll use the default values for each flag and no dedicated config file:

aurora-agent-64.exe

You can select one of the default config presets with the respective flag:

aurora-agent-64.exe -c agent-config-reduced.yml

A typical command line that runs Aurora and prints messages and matches to the command line and the Windows Application eventlog looks like this:

aurora-agent-64.exe --minimum-level low

3.2. Run Aurora as Service

To install Aurora as a service, use the --install flag and see the chapter installation for more details.

A typical installation on systems that have limited hardware resources could look like this.

aurora-agent-64.exe --install -c agent-config-reduced.yml

We ship Aurora with 4 presets that we recommend to use. See the chapter configuration for more information.

3.3. Status Information

The --status flag can be used to query status information from the running service.

This flag can be combined with the --json and --trace flags for JSON formatted or more detailed output.

Note

If you've set a non-standard name when starting Aurora (using --agent-name), make sure to pass the same value here as well with --agent-name.

C:\aurora>aurora-agent-64.exe --status

Aurora Agent Version: 0.9.1 Build Revision: 37fec81332531 Signature Revision: 2022/03/21-101412 Sigma Revision: 0.20-3331-gb4245c561 Status: running Uptime (in hours): 0

Active Outputs:

Windows Application Eventlog: enabled Stdout: enabled

Active Modules: LsassDumpDetector, BeaconHunter, EtwCanary, CommandLineMismatchDetector, ProcessTamperingDetector, TemporaryDriverLoadDetector, ApplyIOCs, Rescontrol, Sigma, ETWSource, ETWKernelSource, EventlogSource, PollHandles

Rule Statistics:

Rule paths: C:aurorasignaturessigma-rules, C:auroracustom-signatures Loaded rules: 1285 Rule reloads: 0 Responses: 28

False positive filters: 4 Process excludes: 0

Events missed so far: 0 Sigma matches: 8 Suppressed Sigma matches of those: 0

Response Actions: disabled

This flag can be combined with the --json or --trace flags:

  • JSON output is significantly more comprehensive, but is also more prone to changes (especially additions).

  • Trace output contains more details, for example full event statistics.

3.4. Tracing Events

Using the --trace flag you can view all the events Aurora observes in the different subscribed channels.

It's a good idea to write the output to a file in order to search in it later.

aurora-agent-64.exe --trace > d:\aurora-trace.log