cnicholas
/
Cybertek-Detection-Scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Cybertek-Detection-Scripts/network_traffic_monitor/project.md

3.2 KiB
Raw Permalink Blame History

Project: Network Traffic Monitor

Summary

A self-contained PowerShell script that runs hourly via Syncro RMM and monitors active network connections for malicious activity on Windows endpoints.

The script performs multi-layer behavioral analysis using live threat intelligence feeds, reputation APIs, and local heuristics. Results accumulate between runs via a local state file to track recurring activity.

Business Problem

Malware, data theft, and command-and-control activity all generate network traffic. Traditional antivirus misses many threats that communicate over encrypted channels or use legitimate infrastructure. This script gives Cybertek continuous, low-cost visibility into outbound connection behavior — surfacing suspicious IPs, domains, and processes before they become incidents.

Detection Layers

Layer Description
Threat intel blocklists IPs, CIDRs, and domains pulled from the Cybertek threat intel repo (Feodo Tracker, Emerging Threats, Spamhaus DROP/EDROP, URLhaus)
AbuseIPDB enrichment Per-IP reputation scoring via AbuseIPDB v2 API (cached 24h)
LOLBin correlation Living-off-the-land binaries and scripting engines making external connections flagged as Critical
Port analysis Connections to known-bad ports flagged as Warning
Exfil indicators High outbound connection volume from the same process to the same destination
DNS cache monitoring High-entropy domains, suspicious TLDs, domains resolving to blocked IPs

Architecture

  • Language: PowerShell 5.1+
  • Runtime: Syncro Windows script runner (SYSTEM context)
  • Schedule: Hourly
  • Threat intel source: github.com/cybertek605/cybertek-threat-intel (aggregated hourly)
  • Alert method: Rmm-Alert with category network_traffic_critical or network_traffic_warning

Local Storage

Path Purpose
C:\ProgramData\Cybertek\NetworkMonitor\state.json Accumulated findings between runs
C:\ProgramData\Cybertek\NetworkMonitor\abuseipdb_cache.json AbuseIPDB reputation cache (24h TTL)
C:\ProgramData\Cybertek\NetworkMonitor\blocklists\ Cached threat intel feed files

Syncro Script Variables

Variable Required Description
abuseipdb_api_key No AbuseIPDB v2 API key. Without it, API enrichment is skipped and local heuristics + blocklists still run.

Alert Categories

Category Trigger
network_traffic_critical Confirmed malicious IP/domain match, LOLBin with external connection, or exfil indicator
network_traffic_warning Suspicious activity warranting review but below critical threshold

Files

network_traffic_monitor.ps1

Production-ready Syncro script. Multi-layer network threat detection with threat intel blocklists, AbuseIPDB enrichment, LOLBin correlation, port analysis, exfil indicators, and DNS anomaly detection.

Deployment

  1. Import network_traffic_monitor.ps1 into Syncro as a PowerShell script.
  2. Optionally add abuseipdb_api_key as a Script Variable.
  3. Schedule hourly via Syncro policy.
  4. Monitor alerts under network_traffic_critical and network_traffic_warning categories.