From 5b2c329d15c041079050e05148536cc4defe1ebc Mon Sep 17 00:00:00 2001 From: "cole@cybertek.systems" Date: Mon, 16 Mar 2026 09:21:13 -0500 Subject: [PATCH] Add per-folder READMEs and network traffic monitor project.md --- event_log_monitoring/README.md | 12 +++++ lolrmm/README.md | 12 +++++ network_traffic_monitor/README.md | 12 +++++ network_traffic_monitor/project.md | 77 ++++++++++++++++++++++++++++++ 4 files changed, 113 insertions(+) create mode 100644 event_log_monitoring/README.md create mode 100644 lolrmm/README.md create mode 100644 network_traffic_monitor/README.md create mode 100644 network_traffic_monitor/project.md diff --git a/event_log_monitoring/README.md b/event_log_monitoring/README.md new file mode 100644 index 0000000..930e927 --- /dev/null +++ b/event_log_monitoring/README.md @@ -0,0 +1,12 @@ +# Event Log Monitor + +Monitors the Windows Security Event Log for high-value security events including failed logon attempts, account lockouts, privilege escalation, and local group membership changes. Stateful — only alerts on newly observed events since the last run, preventing duplicate alerts across consecutive executions. Runs on a schedule via Syncro RMM. + +See [project.md](project.md) for full architecture, monitored event IDs, and deployment details. + +## Files + +| File | Description | +|---|---| +| `event_log_monitor.ps1` | Main Syncro script — deploy this | +| `project.md` | Architecture, monitored events, deployment guide | diff --git a/lolrmm/README.md b/lolrmm/README.md new file mode 100644 index 0000000..159c87f --- /dev/null +++ b/lolrmm/README.md @@ -0,0 +1,12 @@ +# LoLRMM Detector + +Detects unauthorized Remote Monitoring and Management (RMM) tools on Windows endpoints by comparing running processes, services, scheduled tasks, network connections, and registry artifacts against the live [lolrmm.io](https://lolrmm.io) catalog. Raises a Syncro alert when unapproved RMM tooling is found. + +See [project.md](project.md) for full architecture, detection layers, allowlist design, and deployment details. + +## Files + +| File | Description | +|---|---| +| `lolrmm_syncro_detector.ps1` | Main Syncro script — deploy this | +| `project.md` | Architecture, detection layers, allowlist design, deployment guide | diff --git a/network_traffic_monitor/README.md b/network_traffic_monitor/README.md new file mode 100644 index 0000000..1066897 --- /dev/null +++ b/network_traffic_monitor/README.md @@ -0,0 +1,12 @@ +# Network Traffic Monitor + +Monitors active TCP connections and DNS cache for malicious activity using live threat intelligence feeds, AbuseIPDB reputation scoring, and local behavioral heuristics. Runs hourly via Syncro RMM and raises alerts categorized as `network_traffic_critical` or `network_traffic_warning`. + +See [project.md](project.md) for full architecture, detection layers, and deployment details. + +## Files + +| File | Description | +|---|---| +| `network_traffic_monitor.ps1` | Main Syncro script — deploy this | +| `project.md` | Architecture, detection layers, deployment guide | diff --git a/network_traffic_monitor/project.md b/network_traffic_monitor/project.md new file mode 100644 index 0000000..dc5b96c --- /dev/null +++ b/network_traffic_monitor/project.md @@ -0,0 +1,77 @@ +# Project: Network Traffic Monitor + +## Summary + +A self-contained PowerShell script that runs hourly via **Syncro RMM** and monitors active network connections for malicious activity on Windows endpoints. + +The script performs multi-layer behavioral analysis using live threat intelligence feeds, reputation APIs, and local heuristics. Results accumulate between runs via a local state file to track recurring activity. + +--- + +## Business Problem + +Malware, data theft, and command-and-control activity all generate network traffic. Traditional antivirus misses many threats that communicate over encrypted channels or use legitimate infrastructure. This script gives Cybertek continuous, low-cost visibility into outbound connection behavior — surfacing suspicious IPs, domains, and processes before they become incidents. + +--- + +## Detection Layers + +| Layer | Description | +|---|---| +| **Threat intel blocklists** | IPs, CIDRs, and domains pulled from the Cybertek threat intel repo (Feodo Tracker, Emerging Threats, Spamhaus DROP/EDROP, URLhaus) | +| **AbuseIPDB enrichment** | Per-IP reputation scoring via AbuseIPDB v2 API (cached 24h) | +| **LOLBin correlation** | Living-off-the-land binaries and scripting engines making external connections flagged as Critical | +| **Port analysis** | Connections to known-bad ports flagged as Warning | +| **Exfil indicators** | High outbound connection volume from the same process to the same destination | +| **DNS cache monitoring** | High-entropy domains, suspicious TLDs, domains resolving to blocked IPs | + +--- + +## Architecture + +- **Language:** PowerShell 5.1+ +- **Runtime:** Syncro Windows script runner (SYSTEM context) +- **Schedule:** Hourly +- **Threat intel source:** `github.com/cybertek605/cybertek-threat-intel` (aggregated hourly) +- **Alert method:** `Rmm-Alert` with category `network_traffic_critical` or `network_traffic_warning` + +### Local Storage + +| Path | Purpose | +|---|---| +| `C:\ProgramData\Cybertek\NetworkMonitor\state.json` | Accumulated findings between runs | +| `C:\ProgramData\Cybertek\NetworkMonitor\abuseipdb_cache.json` | AbuseIPDB reputation cache (24h TTL) | +| `C:\ProgramData\Cybertek\NetworkMonitor\blocklists\` | Cached threat intel feed files | + +--- + +## Syncro Script Variables + +| Variable | Required | Description | +|---|---|---| +| `abuseipdb_api_key` | No | AbuseIPDB v2 API key. Without it, API enrichment is skipped and local heuristics + blocklists still run. | + +--- + +## Alert Categories + +| Category | Trigger | +|---|---| +| `network_traffic_critical` | Confirmed malicious IP/domain match, LOLBin with external connection, or exfil indicator | +| `network_traffic_warning` | Suspicious activity warranting review but below critical threshold | + +--- + +## Files + +### `network_traffic_monitor.ps1` +Production-ready Syncro script. Multi-layer network threat detection with threat intel blocklists, AbuseIPDB enrichment, LOLBin correlation, port analysis, exfil indicators, and DNS anomaly detection. + +--- + +## Deployment + +1. Import `network_traffic_monitor.ps1` into Syncro as a PowerShell script. +2. Optionally add `abuseipdb_api_key` as a Script Variable. +3. Schedule hourly via Syncro policy. +4. Monitor alerts under `network_traffic_critical` and `network_traffic_warning` categories.