5. Usage
This chapter explains some more frequently used command line options used by Aurora in more detail.
5.1. Run Aurora
If you simply run Aurora in your terminal, it'll use the default values for each flag and no dedicated config file:
C:\aurora>aurora-agent-64.exe
You can select one of the default config presets with the respective flag:
C:\aurora>aurora-agent-64.exe -c agent-config-reduced.yml
A typical command line that runs Aurora and prints messages and matches to the command
line and the Windows Application
eventlog looks like this:
C:\aurora>aurora-agent-64.exe --minimum-level low
5.2. Run Aurora as Service
To install Aurora as a service, use the --install
flag and see the
chapter Installation for more details.
A typical installation on systems that have limited hardware resources could look like this.
C:\aurora>aurora-agent-64.exe --install -c agent-config-reduced.yml
We ship Aurora with 4 presets that we recommend to use. See the chapter Configuration for more information.
5.3. Aurora Service Status Information
The --status
flag can be used to query status information from the running service.
This flag can be combined with the --json
and --trace
flags for JSON formatted or more detailed output.
Note
If you've set a non-standard name when starting Aurora (using --agent-name
),
make sure to pass the same value here as well with --agent-name
.
1C:\aurora>aurora-agent-64.exe --status
2Aurora Agent
3Version: 0.9.1
4Build Revision: 37fec81332531
5Signature Revision: 2022/03/21-101412
6Sigma Revision: 0.20-3331-gb4245c561
7Status: running
8Uptime (in hours): 0
9
10Active Outputs:
11 Windows Application Eventlog: enabled
12 Stdout: enabled
13
14Active Modules: LsassDumpDetector, BeaconHunter, EtwCanary, CommandLineMismatchDetector, ProcessTamperingDetector, TemporaryDriverLoadDetector, ApplyIOCs, Rescontrol, Sigma, ETWSource, ETWKernelSource, EventlogSource, PollHandles
15
16Rule Statistics:
17 Rule paths: C:\aurora\signatures\sigma-rules, C:\aurora\custom-signatures
18 Loaded rules: 1285
19 Rule reloads: 0
20 Responses: 28
21
22False positive filters: 4
23Process excludes: 0
24
25Events missed so far: 0
26Sigma matches: 8
27Suppressed Sigma matches of those: 0
28
29Response Actions: disabled
This flag can be combined with the --json
or --trace
flags:
JSON output is significantly more comprehensive, but is also more prone to changes (especially additions).
Trace output contains more details, for example full event statistics.
5.4. Tracing Events
Using the --trace
flag you can view all the events Aurora observes in the different subscribed channels.
It's a good idea to write the output to a file in order to search in it later.
C:\aurora>aurora-agent-64.exe --trace > d:\aurora-trace.log