4. Usage

This chapter explains some more frequently used command line options used by Aurora in more detail.

4.1. Run Aurora

If you simply run Aurora in your terminal, it'll use the default values for each flag and no dedicated config file:

C:\aurora>aurora-agent-64.exe

You can select one of the default config presets with the respective flag:

C:\aurora>aurora-agent-64.exe -c agent-config-reduced.yml

A typical command line that runs Aurora and prints messages and matches to the command line and the Windows Application eventlog looks like this:

C:\aurora>aurora-agent-64.exe --minimum-level low

4.2. Run Aurora as Service

To install Aurora as a service, use the --install flag and see the chapter installation for more details.

A typical installation on systems that have limited hardware resources could look like this.

C:\aurora>aurora-agent-64.exe --install -c agent-config-reduced.yml

We ship Aurora with 4 presets that we recommend to use. See the chapter configuration for more information.

4.3. Status Information

The --status flag can be used to query status information from the running service.

This flag can be combined with the --json and --trace flags for JSON formatted or more detailed output.

Note

If you've set a non-standard name when starting Aurora (using --agent-name), make sure to pass the same value here as well with --agent-name.

 1C:\aurora>aurora-agent-64.exe --status
 2Aurora Agent
 3Version: 0.9.1
 4Build Revision: 37fec81332531
 5Signature Revision: 2022/03/21-101412
 6Sigma Revision: 0.20-3331-gb4245c561
 7Status: running
 8Uptime (in hours): 0
 9
10Active Outputs:
11    Windows Application Eventlog: enabled
12    Stdout: enabled
13
14Active Modules: LsassDumpDetector, BeaconHunter, EtwCanary, CommandLineMismatchDetector, ProcessTamperingDetector, TemporaryDriverLoadDetector, ApplyIOCs, Rescontrol, Sigma, ETWSource, ETWKernelSource, EventlogSource, PollHandles
15
16Rule Statistics:
17    Rule paths: C:\aurora\signatures\sigma-rules, C:\aurora\custom-signatures
18    Loaded rules: 1285
19    Rule reloads: 0
20    Responses: 28
21
22False positive filters: 4
23Process excludes: 0
24
25Events missed so far: 0
26Sigma matches: 8
27Suppressed Sigma matches of those: 0
28
29Response Actions: disabled

This flag can be combined with the --json or --trace flags:

  • JSON output is significantly more comprehensive, but is also more prone to changes (especially additions).

  • Trace output contains more details, for example full event statistics.

4.4. Tracing Events

Using the --trace flag you can view all the events Aurora observes in the different subscribed channels.

It's a good idea to write the output to a file in order to search in it later.

C:\aurora>aurora-agent-64.exe --trace > d:\aurora-trace.log