patdown/README.md

# patdown

> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.


<p  align="center">
    <img  src="https://i.imgur.com/AlQ7N07.png"  width="500"  title="hover text">
</p>

## Abstract
Patdown probes a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.

**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` in its cache, chances are the '*CrowdStrike Falcon*' EDR solution is present somewhere on the network.

These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-t` flag.

> ⚠️  Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting EDR/XDR.

## Installation
Retrieve a binary corresponding to your architecture from **Releases** 

*or*

`git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown`

## Usage
**Help**

`patdown -h`


**Target specific resolvers**

`patdown -n ns1.target.resolver -n ns2.another.target.resolver`


**Automatically snoop authoritative nameservers**

`patdown -t supernets.org`


## Currently Identified Vendors/Solutions:
- **CrowdStrike** Falcon
- **Microsoft** Defender for Endpoint
- **VMWare** Carbon Black
- **CheckPoint** Harmony
- **Cybereason** EDR
- **Trellix** EDR
- **Palo Alto Networks** Cortex XDR
- **SentinelOne** Singularity
- **Symantec** EDR
- **Tanium** EDR
- **Nextron** Aurora
- **Trend Micro** Endpoint Sensor
- **Rapid7** InsightIDR


- - - -
this is for christian purposes
initial 2023-12-14 23:43:59 -05:00			`# patdown`
and you better read the README 2024-02-16 19:33:36 -05:00
initial 2023-12-14 23:43:59 -05:00			`> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.`

and you better read the README 2024-02-16 19:33:36 -05:00
			`<p align="center">`
			`<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">`
initial 2023-12-14 23:43:59 -05:00			`</p>`
and you better read the README 2024-02-16 19:33:36 -05:00
			`## Abstract`
and you better read the README 2024-02-16 19:41:43 -05:00			`Patdown probes a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.`
and you better read the README 2024-02-16 19:33:36 -05:00
			Example: if a network's resolver has `assets-public.falcon.crowdstrike.com` in its cache, chances are the 'CrowdStrike Falcon' EDR solution is present somewhere on the network.

			These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-t` flag.

and you better read the README 2024-02-17 17:53:45 -05:00			`> ⚠️ Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting EDR/XDR.`
and you better read the README 2024-02-16 19:33:36 -05:00
			`## Installation`
			`Retrieve a binary corresponding to your architecture from Releases`
and you better read the README 2024-02-16 19:41:43 -05:00
and you better read the README 2024-02-16 19:33:36 -05:00			`or`
and you better read the README 2024-02-16 19:41:43 -05:00
			`git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown`
and you better read the README 2024-02-16 19:33:36 -05:00
			`## Usage`
			`Help`
and you better read the README 2024-02-16 19:41:43 -05:00
and you better read the README 2024-02-16 19:33:36 -05:00			`patdown -h`

and you better read the README 2024-02-16 19:41:43 -05:00
			`Target specific resolvers`

and you better read the README 2024-02-16 19:33:36 -05:00			`patdown -n ns1.target.resolver -n ns2.another.target.resolver`

and you better read the README 2024-02-16 19:41:43 -05:00
and you better read the README 2024-02-16 19:33:36 -05:00			`Automatically snoop authoritative nameservers`
and you better read the README 2024-02-16 19:41:43 -05:00
and you better read the README 2024-02-16 19:33:36 -05:00			`patdown -t supernets.org`

listed currently supported vendors 2024-02-16 20:09:49 -05:00
			`## Currently Identified Vendors/Solutions:`
			`- CrowdStrike Falcon`
			`- Microsoft Defender for Endpoint`
			`- VMWare Carbon Black`
			`- CheckPoint Harmony`
			`- Cybereason EDR`
			`- Trellix EDR`
			`- Palo Alto Networks Cortex XDR`
			`- SentinelOne Singularity`
			`- Symantec EDR`
			`- Tanium EDR`
			`- Nextron Aurora`
			`- Trend Micro Endpoint Sensor`
			`- Rapid7 InsightIDR`


and you better read the README 2024-02-16 19:33:36 -05:00			`- - - -`
			`this is for christian purposes`