# Cybertek Detection Scripts

> **Internal review only — shared with Cybertek colleagues for code review and further development.**

Syncro RMM scripts used by Cybertek Systems for endpoint security monitoring. Each script runs on a schedule via Syncro and raises alerts when suspicious activity is detected.

---

## Scripts

### Network Traffic Monitor
**`network_traffic_monitor/network_traffic_monitor.ps1`**

Monitors active network connections for malicious IPs using live threat intelligence feeds (aggregated hourly from abuse.ch, Emerging Threats, and others). Raises a Syncro alert categorized as `network_traffic_critical` or `network_traffic_warning` depending on threat severity.

---

### LoLRMM Detector
**`lolrmm/lolrmm_syncro_detector.ps1`**

Detects unauthorized Remote Monitoring and Management (RMM) tools running on endpoints. Checks running processes and installed software against the [lolrmm.io](https://lolrmm.io) database of known RMM tools. Raises a Syncro alert if any unapproved RMM tool is found.

---

### Event Log Monitor
**`event_log_monitoring/event_log_monitor.ps1`**

Monitors the Windows Security Event Log for high-value security events — including failed logon attempts, privilege escalation, account lockouts, and suspicious process activity. Raises Syncro alerts categorized by severity.

---

## Deployment

All scripts are deployed and scheduled via Syncro RMM. Each script is self-contained and requires only a Syncro API key configured as a Script Variable within the Syncro platform.