cnicholas
/
Cybertek-Detection-Scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add per-folder READMEs and network traffic monitor project.md

master
cole@cybertek.systems 2026-03-16 09:21:13 -05:00
parent 10dd6ea127
commit 5b2c329d15
4 changed files with 113 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
event_log_monitoring/README.md Normal file
View File

@ -0,0 +1,12 @@
# Event Log Monitor
Monitors the Windows Security Event Log for high-value security events including failed logon attempts, account lockouts, privilege escalation, and local group membership changes. Stateful — only alerts on newly observed events since the last run, preventing duplicate alerts across consecutive executions. Runs on a schedule via Syncro RMM.
See [project.md](project.md) for full architecture, monitored event IDs, and deployment details.
## Files
| File | Description |
|---|---|
| `event_log_monitor.ps1` | Main Syncro script — deploy this |
| `project.md` | Architecture, monitored events, deployment guide |

12
lolrmm/README.md Normal file
View File

@ -0,0 +1,12 @@
# LoLRMM Detector
Detects unauthorized Remote Monitoring and Management (RMM) tools on Windows endpoints by comparing running processes, services, scheduled tasks, network connections, and registry artifacts against the live [lolrmm.io](https://lolrmm.io) catalog. Raises a Syncro alert when unapproved RMM tooling is found.
See [project.md](project.md) for full architecture, detection layers, allowlist design, and deployment details.
## Files
| File | Description |
|---|---|
| `lolrmm_syncro_detector.ps1` | Main Syncro script — deploy this |
| `project.md` | Architecture, detection layers, allowlist design, deployment guide |

12
network_traffic_monitor/README.md Normal file
View File

@ -0,0 +1,12 @@
# Network Traffic Monitor
Monitors active TCP connections and DNS cache for malicious activity using live threat intelligence feeds, AbuseIPDB reputation scoring, and local behavioral heuristics. Runs hourly via Syncro RMM and raises alerts categorized as `network_traffic_critical` or `network_traffic_warning`.
See [project.md](project.md) for full architecture, detection layers, and deployment details.
## Files
| File | Description |
|---|---|
| `network_traffic_monitor.ps1` | Main Syncro script — deploy this |
| `project.md` | Architecture, detection layers, deployment guide |

77
network_traffic_monitor/project.md Normal file
View File

@ -0,0 +1,77 @@
# Project: Network Traffic Monitor
## Summary
A self-contained PowerShell script that runs hourly via **Syncro RMM** and monitors active network connections for malicious activity on Windows endpoints.
The script performs multi-layer behavioral analysis using live threat intelligence feeds, reputation APIs, and local heuristics. Results accumulate between runs via a local state file to track recurring activity.
---
## Business Problem
Malware, data theft, and command-and-control activity all generate network traffic. Traditional antivirus misses many threats that communicate over encrypted channels or use legitimate infrastructure. This script gives Cybertek continuous, low-cost visibility into outbound connection behavior — surfacing suspicious IPs, domains, and processes before they become incidents.
---
## Detection Layers
| Layer | Description |
|---|---|
| **Threat intel blocklists** | IPs, CIDRs, and domains pulled from the Cybertek threat intel repo (Feodo Tracker, Emerging Threats, Spamhaus DROP/EDROP, URLhaus) |
| **AbuseIPDB enrichment** | Per-IP reputation scoring via AbuseIPDB v2 API (cached 24h) |
| **LOLBin correlation** | Living-off-the-land binaries and scripting engines making external connections flagged as Critical |
| **Port analysis** | Connections to known-bad ports flagged as Warning |
| **Exfil indicators** | High outbound connection volume from the same process to the same destination |
| **DNS cache monitoring** | High-entropy domains, suspicious TLDs, domains resolving to blocked IPs |
---
## Architecture
- **Language:** PowerShell 5.1+
- **Runtime:** Syncro Windows script runner (SYSTEM context)
- **Schedule:** Hourly
- **Threat intel source:** `github.com/cybertek605/cybertek-threat-intel` (aggregated hourly)
- **Alert method:** `Rmm-Alert` with category `network_traffic_critical` or `network_traffic_warning`
### Local Storage
| Path | Purpose |
|---|---|
| `C:\ProgramData\Cybertek\NetworkMonitor\state.json` | Accumulated findings between runs |
| `C:\ProgramData\Cybertek\NetworkMonitor\abuseipdb_cache.json` | AbuseIPDB reputation cache (24h TTL) |
| `C:\ProgramData\Cybertek\NetworkMonitor\blocklists\` | Cached threat intel feed files |
---
## Syncro Script Variables
| Variable | Required | Description |
|---|---|---|
| `abuseipdb_api_key` | No | AbuseIPDB v2 API key. Without it, API enrichment is skipped and local heuristics + blocklists still run. |
---
## Alert Categories
| Category | Trigger |
|---|---|
| `network_traffic_critical` | Confirmed malicious IP/domain match, LOLBin with external connection, or exfil indicator |
| `network_traffic_warning` | Suspicious activity warranting review but below critical threshold |
---
## Files
### `network_traffic_monitor.ps1`
Production-ready Syncro script. Multi-layer network threat detection with threat intel blocklists, AbuseIPDB enrichment, LOLBin correlation, port analysis, exfil indicators, and DNS anomaly detection.
---
## Deployment
1. Import `network_traffic_monitor.ps1` into Syncro as a PowerShell script.
2. Optionally add `abuseipdb_api_key` as a Script Variable.
3. Schedule hourly via Syncro policy.
4. Monitor alerts under `network_traffic_critical` and `network_traffic_warning` categories.