Components
Web control panel
Package name: intrudect-web
It serves following functions:
- Collect alerts from agents
- Make the information browseable and searchable for the user
- Integrate with different chat applications to send alerts
- Provide a control panel for agents and their configurations.
Honeypot
Package name: intrudect-honeypot
Listens on TCP or UDP ports specified in the configuration, accepts incoming connections,and if one is detected, an alert is sent to the central web.
Egress agent
Package name: intrudect-egressagent
During different pentests authors have seen, how client has "airgapped" network, that actually is not fully isolated. This inspired the egress agent module.
Egress agent is installed into isolated network segment and periodically attempts to access the Internet. If it successfully connects to the Intrudect servers, an alert is sent to the client.
Logagent / syslog agent
Package name: intrudect-logagent
Logagent monitors sepcified logfiles for user-defined regular expressions. If a line's content matches a regular expression, an alert is sent to the central web. Logfiles can be syslog files, but also application logfiles, etc.
Netagent / network agent
Package name: intrudect-netagent
This package listens on network interface where network traffic is mirrored from switches and tries to identify anomalies or IOC's
This agent has multiple submodules:
- Admin protocols monitoring module - if attackers try to map network or move from one workstation to another, it only takes one wrong SYN packet to get caught.
- ARP scan detection
- DHCP module to detect anomalies in DHCP traffic or low opsec operators - is "kali" normal workstation hostname?
- DNS module to detect excessive DNS traffic, or not so common PTR and TXT queries. PTR queriers are used to map network and TXT queries in high numbers could be indication of data exfiltration or C2 traffic.
- HTTP traffic monitoring. Most of the Internet uses TLS and HTTPS, but there are still plenty of tools that use plaintext HTTP and this module gives good owerview what devices and what useragents reach out from your network. Also if attacker has their own device in your network (compromised WiFi or malicious device) they too can make opsec mistakes (useragent APT for example).
- LDAP module - to detect if there is excessive amount of LDAP queries sent to the DC, to detect tools like PingCastle and BloodHound
- Portscan detection
- SMB outbound traffic monitoring - to capture NetNTLMv2 password hash from Domain user requires only one SMB connection to attacker controlled server.
- TOR module to detect TOR traffic