# Project: Network Traffic Monitor ## Summary A self-contained PowerShell script that runs hourly via **Syncro RMM** and monitors active network connections for malicious activity on Windows endpoints. The script performs multi-layer behavioral analysis using live threat intelligence feeds, reputation APIs, and local heuristics. Results accumulate between runs via a local state file to track recurring activity. --- ## Business Problem Malware, data theft, and command-and-control activity all generate network traffic. Traditional antivirus misses many threats that communicate over encrypted channels or use legitimate infrastructure. This script gives Cybertek continuous, low-cost visibility into outbound connection behavior — surfacing suspicious IPs, domains, and processes before they become incidents. --- ## Detection Layers | Layer | Description | |---|---| | **Threat intel blocklists** | IPs, CIDRs, and domains pulled from the Cybertek threat intel repo (Feodo Tracker, Emerging Threats, Spamhaus DROP/EDROP, URLhaus) | | **AbuseIPDB enrichment** | Per-IP reputation scoring via AbuseIPDB v2 API (cached 24h) | | **LOLBin correlation** | Living-off-the-land binaries and scripting engines making external connections flagged as Critical | | **Port analysis** | Connections to known-bad ports flagged as Warning | | **Exfil indicators** | High outbound connection volume from the same process to the same destination | | **DNS cache monitoring** | High-entropy domains, suspicious TLDs, domains resolving to blocked IPs | --- ## Architecture - **Language:** PowerShell 5.1+ - **Runtime:** Syncro Windows script runner (SYSTEM context) - **Schedule:** Hourly - **Threat intel source:** `github.com/cybertek605/cybertek-threat-intel` (aggregated hourly) - **Alert method:** `Rmm-Alert` with category `network_traffic_critical` or `network_traffic_warning` ### Local Storage | Path | Purpose | |---|---| | `C:\ProgramData\Cybertek\NetworkMonitor\state.json` | Accumulated findings between runs | | `C:\ProgramData\Cybertek\NetworkMonitor\abuseipdb_cache.json` | AbuseIPDB reputation cache (24h TTL) | | `C:\ProgramData\Cybertek\NetworkMonitor\blocklists\` | Cached threat intel feed files | --- ## Syncro Script Variables | Variable | Required | Description | |---|---|---| | `abuseipdb_api_key` | No | AbuseIPDB v2 API key. Without it, API enrichment is skipped and local heuristics + blocklists still run. | --- ## Alert Categories | Category | Trigger | |---|---| | `network_traffic_critical` | Confirmed malicious IP/domain match, LOLBin with external connection, or exfil indicator | | `network_traffic_warning` | Suspicious activity warranting review but below critical threshold | --- ## Files ### `network_traffic_monitor.ps1` Production-ready Syncro script. Multi-layer network threat detection with threat intel blocklists, AbuseIPDB enrichment, LOLBin correlation, port analysis, exfil indicators, and DNS anomaly detection. --- ## Deployment 1. Import `network_traffic_monitor.ps1` into Syncro as a PowerShell script. 2. Optionally add `abuseipdb_api_key` as a Script Variable. 3. Schedule hourly via Syncro policy. 4. Monitor alerts under `network_traffic_critical` and `network_traffic_warning` categories.