search

NextronSystems / aurora-agent-lite

Repository to handle issues with our free EDR agent Aurora Lite
25 stars 0 forks source link

External IP address requests #8

Closed ll3N1GmAll closed 1 month ago

ll3N1GmAll commented 6 months ago

We are seeing external IP contact attempts from launcher.exe to, at least, the following IP addresses: 208.111.186.0 208.111.186.128 35.196.217.93 34.149.84.181 23.218.218.71 2600:1408:c400:24::17da:d81b 2600:1408:c400:24::17da:d832 23.218.218.70 23.47.204.45 23.204.152.18 23.204.152.20 23.204.152.38 23.204.152.43 23.204.152.45 23.204.152.5 23.215.0.12 23.215.0.13 23.215.0.15 23.215.0.4 23.215.0.5 23.215.0.9 23.218.218.17 23.218.218.24 23.218.218.71 23.218.218.76 23.221.227.25 23.221.227.32 23.221.227.33 23.221.227.38 23.221.227.52 23.221.227.9 23.223.17.164 23.223.17.168 23.47.204.45 23.47.204.46 23.47.204.50 23.47.204.53 23.47.204.54 23.47.204.65 23.47.204.72 23.47.204.74 23.47.204.79 23.47.204.81 23.49.5.196 23.49.5.214 23.53.122.134 23.53.122.137 2600:1404:ec00:45::1724:d9af 2600:1404:ec00:45::1724:d9b0 2600:1407:b800::6872:4f91 2600:1407:b800::6872:4fba 2600:1408:c400:2e::17de:410 2600:1408:c400:2e::17de:41b 2600:1408:ec00:17::17d7:86 2600:1408:ec00:17::17d7:8f 2600:1408:ec00:23::1735:2349 2600:1408:ec00:23::1735:2350 2600:141b:f000:14::172e:9c86 2600:141b:f000:14::172e:9c9e 2600:141b:f000:14::172e:9ca9 2600:141b:f000:14::172e:9cb0 34.149.84.181 35.196.217.93 88.221.134.16 88.221.134.9 88.221.135.208 88.221.135.210 88.221.135.219 88.221.135.89 92.123.140.122 92.123.142.232

What are these attempts for? Does the client update sigma rules via any of these resources? Is there any data from our network being sent anywhere? Thank you for your assistance.

redteampanda-ng commented 6 months ago

@ll3N1GmAll I transferred the issue to the correct repository.

You mentioned the launcher.exe, this is not part of the Aurora package. How did you download Aurora and which command do you use to launch it? There are only three FQDNs Aurora will contact, and this only happens if you are initiating either an upgrade or an update via aurora-agent-util.exe. Otherwise Aurora is running completely offline.

The following remote host are used: update-aurora.nextron-systems.com update-101.nextron-systems.com update-102.nextron-systems.com

Thanks

ll3N1GmAll commented 6 months ago

My apologies, the above info is related to our Security Onion deployment. I intended to reach out to both communities about the same issue and switched my info accidentally on this request. The Aurora-Agent-util.exe's external comms are to: 207.244.242.102 & 82.165.105.236. This occurs when we have not initiated any update/upgrade. Is there an update process that runs periodically automatically? Are these updates for sigma rules or for the agent itself?

redteampanda-ng commented 6 months ago

The aurora agent itself does not open any network connections. (Sigma) Updates are being downloaded from our update servers (the IPs you mentioned), and aurora itself does not do this. The util binary does this and only when invoked manually. We designed aurora in that way so it can be used offline (after you downloaded the newest signatures).

I am not able to reproduce this. I just had aurora run for one hour and checked the traffic, no outside connection was opened. The only time the one of the two IPs you mentioned were contacted is when I manually ran aurora-agent-util.exe upgrade and aurora-agent-util.exe update.

What version of aurora are you running and how do you run it? Please provide the output of the following command: aurora-agent-64.exe --version

redteampanda-ng commented 6 months ago

One more thing, if you installed aurora (--install flag), a scheduled task will be created which looks sporadically for updates. Perhaps this is what you are seeing, but I don't know how you are running aurora, so please let me know how you are using it.

ll3N1GmAll commented 6 months ago

Aurora Agent Lite Version 1.1.5 (2a65c69d13bed), Signature Revision 2023/11/08-190603 (Sigma r2023-11-06-3-g67c323c5f) (C) Nextron Systems GmbH, 2022

I did run it with the --install flag.

redteampanda-ng commented 6 months ago

Thanks for the info. Once you install aurora, the following scheduled tasks will be created:

Signature Update - Triggers daily at 12:30 and whenever a user logs into the host -> aurora-agent-signature-update Aurora Update - Triggers weekly on Mondays at 12:30 -> aurora-agent-program-update

You can disable those tasks, but you have to do updates manually to get the latest signatures and aurora updates.

https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html#automatic-updates-via-scheduled-tasks

Does this answer your question?

nasbench commented 1 month ago

Closing this issues for unresponsiveness. But overall the issue should be resolved as those IPs are the ones used by the Aurora agent. Check this for the full list of IPs https://www.nextron-systems.com/resources/hosts/