2023-12-15 04:43:59 +00:00
# patdown
2024-02-17 00:33:36 +00:00
2024-11-07 01:33:39 +00:00
> Remotely predicts and identifies the presence of EDR/XDR solutions on networks
2024-02-17 00:33:36 +00:00
< p align = "center" >
< img src = "https://i.imgur.com/AlQ7N07.png" width = "500" title = "hover text" >
2023-12-15 04:43:59 +00:00
< / p >
2024-02-17 00:33:36 +00:00
## Abstract
2024-11-07 01:33:39 +00:00
patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
2024-02-18 18:43:09 +00:00
2024-11-07 01:33:39 +00:00
Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
2024-02-17 00:33:36 +00:00
2024-11-07 01:33:39 +00:00
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
2024-02-17 00:33:36 +00:00
2024-11-07 01:33:39 +00:00
These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
2024-02-17 00:33:36 +00:00
2024-11-07 01:33:39 +00:00
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
2024-02-17 00:33:36 +00:00
## Installation
Retrieve a binary corresponding to your architecture from **Releases**
2024-02-17 00:41:43 +00:00
2024-02-17 00:33:36 +00:00
*or*
2024-02-17 00:41:43 +00:00
2024-11-07 01:33:39 +00:00
`git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
2024-02-17 00:33:36 +00:00
## Usage
2024-11-07 01:33:39 +00:00
```
d | target fqdn (not as reliable, prone to false positives)
n | nameserver to query (can be specified multiple times)
v | enable verbosity [false]
t | threads [5]
s | delay between requests in milliseconds, per thread [250]
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
```
2024-02-17 01:09:49 +00:00
## Currently Identified Vendors/Solutions:
2024-11-07 01:33:39 +00:00
- [x] **CrowdStrike** Falcon
- [x] **Microsoft** Defender for Endpoint
- [x] **VMWare** Carbon Black
- [x] **Check Point** Harmony
- [x] **Cybereason** EDR
- [x] **Trellix** EDR
- [x] **Palo Alto Networks** Cortex XDR
- [x] **SentinelOne** Singularity
- [x] **Symantec** Endpoint Security
- [x] **Tanium** EDR
- [x] **Nextron** Aurora
- [x] **Trend Micro** Endpoint Sensor
- [x] **Rapid7** InsightIDR
- [ ] **ESET** Inspect
- [ ] **Harfanglab** EDR
- [ ] **Limacharlie** EDR
- [ ] **Elastic** Security
- [ ] **Qualys** EDR
- [ ] **Uptycs** XDR
- [ ] **WatchGuard** EDR
