35 lines
1.5 KiB
Markdown
35 lines
1.5 KiB
Markdown
# Cybertek Detection Scripts
|
|
|
|
> **Internal review only — shared with Cybertek colleagues for code review and further development.**
|
|
|
|
Syncro RMM scripts used by Cybertek Systems for endpoint security monitoring. Each script runs on a schedule via Syncro and raises alerts when suspicious activity is detected.
|
|
|
|
---
|
|
|
|
## Scripts
|
|
|
|
### Network Traffic Monitor
|
|
**`network_traffic_monitor/network_traffic_monitor.ps1`**
|
|
|
|
Monitors active network connections for malicious IPs using live threat intelligence feeds (aggregated hourly from abuse.ch, Emerging Threats, and others). Raises a Syncro alert categorized as `network_traffic_critical` or `network_traffic_warning` depending on threat severity.
|
|
|
|
---
|
|
|
|
### LoLRMM Detector
|
|
**`lolrmm/lolrmm_syncro_detector.ps1`**
|
|
|
|
Detects unauthorized Remote Monitoring and Management (RMM) tools running on endpoints. Checks running processes and installed software against the [lolrmm.io](https://lolrmm.io) database of known RMM tools. Raises a Syncro alert if any unapproved RMM tool is found.
|
|
|
|
---
|
|
|
|
### Event Log Monitor
|
|
**`event_log_monitoring/event_log_monitor.ps1`**
|
|
|
|
Monitors the Windows Security Event Log for high-value security events — including failed logon attempts, privilege escalation, account lockouts, and suspicious process activity. Raises Syncro alerts categorized by severity.
|
|
|
|
---
|
|
|
|
## Deployment
|
|
|
|
All scripts are deployed and scheduled via Syncro RMM. Each script is self-contained and requires only a Syncro API key configured as a Script Variable within the Syncro platform.
|