This artifact is a wrapper around the Windows.EventLogs.EvtxHunter artifact. It searches the Windows Application event log for logs being written by Nextron System’s Aurora/Aurora Lite (‘AuroraAgent’ provider).
name: Windows.EventLogs.Aurora
author: Wes Lambert - @therealwlambert
description: |
This artifact is a wrapper around the Windows.EventLogs.EvtxHunter artifact. It searches the Windows Application event log for logs being written by Nextron System's Aurora/Aurora Lite ('AuroraAgent' provider).
reference:
- https://www.nextron-systems.com/aurora/
parameters:
- name: MessageRegex
description: "Message regex to enable filtering on message"
default: .
- name: TargetGlob
default: '%SystemRoot%\System32\Winevt\Logs\Application.evtx'
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT EventTime,
Computer,
Channel,
Provider,
EventID,
EventRecordID,
EventData,
Message,
FullPath
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=TargetGlob,
ProviderRegex="AuroraAgent",
VSSAnalysisAge=VSSAnalysisAge)
WHERE Message =~ MessageRegex