78 lines
3.2 KiB
Markdown
78 lines
3.2 KiB
Markdown
# Project: Network Traffic Monitor
|
|
|
|
## Summary
|
|
|
|
A self-contained PowerShell script that runs hourly via **Syncro RMM** and monitors active network connections for malicious activity on Windows endpoints.
|
|
|
|
The script performs multi-layer behavioral analysis using live threat intelligence feeds, reputation APIs, and local heuristics. Results accumulate between runs via a local state file to track recurring activity.
|
|
|
|
---
|
|
|
|
## Business Problem
|
|
|
|
Malware, data theft, and command-and-control activity all generate network traffic. Traditional antivirus misses many threats that communicate over encrypted channels or use legitimate infrastructure. This script gives Cybertek continuous, low-cost visibility into outbound connection behavior — surfacing suspicious IPs, domains, and processes before they become incidents.
|
|
|
|
---
|
|
|
|
## Detection Layers
|
|
|
|
| Layer | Description |
|
|
|---|---|
|
|
| **Threat intel blocklists** | IPs, CIDRs, and domains pulled from the Cybertek threat intel repo (Feodo Tracker, Emerging Threats, Spamhaus DROP/EDROP, URLhaus) |
|
|
| **AbuseIPDB enrichment** | Per-IP reputation scoring via AbuseIPDB v2 API (cached 24h) |
|
|
| **LOLBin correlation** | Living-off-the-land binaries and scripting engines making external connections flagged as Critical |
|
|
| **Port analysis** | Connections to known-bad ports flagged as Warning |
|
|
| **Exfil indicators** | High outbound connection volume from the same process to the same destination |
|
|
| **DNS cache monitoring** | High-entropy domains, suspicious TLDs, domains resolving to blocked IPs |
|
|
|
|
---
|
|
|
|
## Architecture
|
|
|
|
- **Language:** PowerShell 5.1+
|
|
- **Runtime:** Syncro Windows script runner (SYSTEM context)
|
|
- **Schedule:** Hourly
|
|
- **Threat intel source:** `github.com/cybertek605/cybertek-threat-intel` (aggregated hourly)
|
|
- **Alert method:** `Rmm-Alert` with category `network_traffic_critical` or `network_traffic_warning`
|
|
|
|
### Local Storage
|
|
|
|
| Path | Purpose |
|
|
|---|---|
|
|
| `C:\ProgramData\Cybertek\NetworkMonitor\state.json` | Accumulated findings between runs |
|
|
| `C:\ProgramData\Cybertek\NetworkMonitor\abuseipdb_cache.json` | AbuseIPDB reputation cache (24h TTL) |
|
|
| `C:\ProgramData\Cybertek\NetworkMonitor\blocklists\` | Cached threat intel feed files |
|
|
|
|
---
|
|
|
|
## Syncro Script Variables
|
|
|
|
| Variable | Required | Description |
|
|
|---|---|---|
|
|
| `abuseipdb_api_key` | No | AbuseIPDB v2 API key. Without it, API enrichment is skipped and local heuristics + blocklists still run. |
|
|
|
|
---
|
|
|
|
## Alert Categories
|
|
|
|
| Category | Trigger |
|
|
|---|---|
|
|
| `network_traffic_critical` | Confirmed malicious IP/domain match, LOLBin with external connection, or exfil indicator |
|
|
| `network_traffic_warning` | Suspicious activity warranting review but below critical threshold |
|
|
|
|
---
|
|
|
|
## Files
|
|
|
|
### `network_traffic_monitor.ps1`
|
|
Production-ready Syncro script. Multi-layer network threat detection with threat intel blocklists, AbuseIPDB enrichment, LOLBin correlation, port analysis, exfil indicators, and DNS anomaly detection.
|
|
|
|
---
|
|
|
|
## Deployment
|
|
|
|
1. Import `network_traffic_monitor.ps1` into Syncro as a PowerShell script.
|
|
2. Optionally add `abuseipdb_api_key` as a Script Variable.
|
|
3. Schedule hourly via Syncro policy.
|
|
4. Monitor alerts under `network_traffic_critical` and `network_traffic_warning` categories.
|