This artifact is a wrapper around the Windows.EventLogs.EvtxHunter artifact. It searches the Windows Application event log for logs being written by Nextron System’s Aurora/Aurora Lite (‘AuroraAgent’ provider).
name: Windows.EventLogs.Aurora
author: Wes Lambert - @therealwlambert
description: |
This artifact is a wrapper around the Windows.EventLogs.EvtxHunter artifact. It searches the Windows Application event log for logs being written by Nextron System's Aurora/Aurora Lite ('AuroraAgent' provider).
reference:
- https://www.nextron-systems.com/aurora/
parameters:
- name: MessageRegex
description: "Message regex to enable filtering on message"
default: .
- name: TargetGlob
default: '%SystemRoot%\System32\Winevt\Logs\Application.evtx'
- name: TargetVSS
type: bool
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT EventTime,
Computer,
Channel,
Provider,
EventID,
EventRecordID,
EventData,
Message,
FullPath
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=TargetGlob,
ProviderRegex="AuroraAgent",
SearchVSS=TargetVSS)
WHERE Message =~ MessageRegex