delorean/patdown
3
Fork 0
Code Issues Pull Requests Packages Projects Releases3 Wiki Activity

overhaul; performance and accuracy improvements

Browse Source
This commit is contained in:
delorean 2024-11-06 19:33:39 -06:00
parent 35a6bfe75d
commit 262f1fefac
11 changed files with 899 additions and 710 deletions

78
README.md
View File

@ -1,61 +1,63 @@
# patdown # patdown
> Predicts and identifies the presence of EDR/XDR solutions on remote networks > Remotely predicts and identifies the presence of EDR/XDR solutions on networks
<p align="center"> <p align="center">
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text"> <img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
</p> </p>
## Abstract ## Abstract
patdown is an EDR/XDR *(Endpoint Detection & Response)* fingerprinting utility useful for predicting defense mechanisms in use on a network. patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
This is achieved via probing a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions. This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` in its cache, chances are the '*CrowdStrike Falcon*' EDR solution is present somewhere on the network. Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-t` flag. **Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
> ⚠️ Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting EDR/XDR. These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
## Installation ## Installation
Retrieve a binary corresponding to your architecture from **Releases** Retrieve a binary corresponding to your architecture from **Releases**
*or* *or*
`git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown` `git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
## Usage ## Usage
**Help** ```
d | target fqdn (not as reliable, prone to false positives)
`patdown -h` n | nameserver to query (can be specified multiple times)
v | enable verbosity [false]
t | threads [5]
**Target specific resolvers** s | delay between requests in milliseconds, per thread [250]
`patdown -n ns1.target.resolver -n ns2.another.target.resolver`
**Automatically snoop authoritative nameservers**
`patdown -t supernets.org`
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
```
## Currently Identified Vendors/Solutions: ## Currently Identified Vendors/Solutions:
- **CrowdStrike** Falcon - [x] **CrowdStrike** Falcon
- **Microsoft** Defender for Endpoint - [x] **Microsoft** Defender for Endpoint
- **VMWare** Carbon Black - [x] **VMWare** Carbon Black
- **CheckPoint** Harmony - [x] **Check Point** Harmony
- **Cybereason** EDR - [x] **Cybereason** EDR
- **Trellix** EDR - [x] **Trellix** EDR
- **Palo Alto Networks** Cortex XDR - [x] **Palo Alto Networks** Cortex XDR
- **SentinelOne** Singularity - [x] **SentinelOne** Singularity
- **Symantec** EDR - [x] **Symantec** Endpoint Security
- **Tanium** EDR - [x] **Tanium** EDR
- **Nextron** Aurora - [x] **Nextron** Aurora
- **Trend Micro** Endpoint Sensor - [x] **Trend Micro** Endpoint Sensor
- **Rapid7** InsightIDR - [x] **Rapid7** InsightIDR
- [ ] **ESET** Inspect
- [ ] **Harfanglab** EDR
- - - - - [ ] **Limacharlie** EDR
this is for christian purposes - [ ] **Elastic** Security
- [ ] **Qualys** EDR
- [ ] **Uptycs** XDR
- [ ] **WatchGuard** EDR

60
cmd/patdown/main.go
View File

@ -1,60 +1,36 @@
package main package main
import ( import (
"flag" "fmt"
"patdown/common" "patdown/common"
) )
type multiflag []string
func (m *multiflag) String() string {
return "irc.supernets.org #superbowl"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
var (
domain = flag.String("t", "", "")
workers = flag.Int("c", 100, "")
delay = flag.Int("s", 50, "")
nsarg multiflag
)
func main() { func main() {
flag.Var(&nsarg, "n", "") common.LoadArgs()
flag.Usage = common.Usage var servers []string
flag.Parse()
common.Banner() common.Banner()
if *domain != "" { autodetect := common.Params.Domain != ""
common.Info("aggregating nameservers...") if autodetect {
common.PullNS(*domain) if servers = common.PullNS(common.Params.Domain); len(servers) == 0 {
} else if len(nsarg) > 0 { common.Fatal("no nameservers found for " + common.Params.Domain)
for _, ns := range nsarg {
common.Nameservers = append(common.Nameservers, ns)
} }
common.Info(fmt.Sprintf("retrieved %s%d%s nameservers for %s", common.ColorGreen, len(servers), common.ColorReset, common.Params.Domain))
} else if len(common.Params.Nservers) > 0 {
servers = common.Params.Nservers
} else { } else {
common.Usage() common.Fatal("provide a domain or nameservers to target")
return
} }
common.Verify() if !common.NeutralReq() {
common.Fatal("neutral dns check failed, are you on a dirty box or vpn?")
common.Run(false, *workers, *delay)
if !common.Found {
if len(common.Recursive) > 0 {
common.Warning("no associated domains found, attempting recursive snooping...")
common.Run(true, *workers, *delay)
}
} }
if !common.Found { valid := common.ParseNS(servers)
common.Error("no associated domains retrieved") if len(valid) == 0 {
common.Fatal("no servers responded to trial probes, they're either down or they don't like your IP")
} }
common.Takeoff(valid)
} }

39
common/args.go Normal file
View File

@ -0,0 +1,39 @@
package common
import "flag"
type multiflag []string
type Config struct {
Domain string
Threads int
Delay int
Nservers []string
Verbose bool
}
var (
domain = flag.String("d", "", "")
workers = flag.Int("t", 5, "")
delay = flag.Int("s", 250, "")
verbose = flag.Bool("v", false, "")
nsarg multiflag
Params Config
)
func (m *multiflag) String() string {
return "front page maximum wage"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
func LoadArgs() {
flag.Var(&nsarg, "n", "")
flag.Usage = Usage
flag.Parse()
Params = Config{Domain: *domain, Threads: *workers, Delay: *delay, Nservers: nsarg, Verbose: *verbose}
}

88
common/console.go
View File

@ -1,88 +0,0 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
)
func Banner() {
fmt.Printf(`%s
.------..------..------..------..------..------..------.
|%s%sP%s%s.--. ||%s%sA%s%s.--. ||%s%sT%s%s.--. ||%s%sD%s%s.--. ||%s%sO%s%s.--. ||%s%sW%s%s.--. ||%s%sN%s%s.--. |
| :/\: || (\/) || :/\: || :/\: || :/\: || :/\: || :(): |
| (__) || :\/: || (__) || (__) || :\/: || :\/: || ()() |
| '--'P|| '--'A|| '--'T|| '--'D|| '--'O|| '--'W|| '--'N|
'------''------''------''------''------''------''------'
%s%s sincerely,
~ delorean%s
`, ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset)
}
func Usage() {
fmt.Fprintf(os.Stderr, `patdown usage:
(%s-t%s) - target domain
(%s-n%s) - specific nameserver to snoop, can be multiple
(%s-c%s) - concurrent threads [%s100%s]
(%s-s%s) - delay between queries, per thread, in milliseconds [%s100%s]
%se.g.%s
patdown -t supernets.org
patdown -n ns1.supernets.org -n ns2.supernets.org
patdown -t supernets.org -c 50 -s 500
`, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset)
}
var Vendors = map[string]string{
"Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m",
"VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m",
"CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m",
"CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m",
"Cybereason": "\033[93mCybereason\033[0m",
"Trellix": "\033[32mTrellix\033[0m",
"Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m",
"SentinelOne": "\033[35mSentinelOne\033[0m",
"Symantec": "\033[93mSymantec\033[0m",
"Tanium": "\033[31mTanium\033[0m",
"Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m",
"Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m",
"Rapid7 InsightIDR": "\033[97mRapid\033[0m\033[91m7\033[0m \033[97mInsightIDR\033[0m",
}
func Success(msg string) {
fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg)
}
func Warning(msg string) {
fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

174
common/dns.go
View File

@ -1,174 +0,0 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Pair struct {
Nameserver string
Domain string
}
var (
Nameservers, Valid, Recursive []string
Found bool
)
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
return msg
}
func ParseNS(nservers []string) ([]string, []string) {
var valid, recursive []string
msg := message("supernets.org", dns.TypeA, false)
for _, ns := range nservers {
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error("nameserver " + ns + " is not responding")
continue
}
if in.Rcode == dns.RcodeRefused {
Warning("nameserver " + ns + " refused the test query, non-recursive snooping may not be viable")
}
if in.RecursionAvailable {
Success("nameserver " + ns + " is recursive")
recursive = append(recursive, ns)
}
valid = append(valid, ns)
}
return valid, recursive
}
func TestReq() bool {
msg := message("cloudflare.com", dns.TypeA, false)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
Nameservers = append(Nameservers, ns.Ns)
}
}
}
func Verify() {
if !TestReq() {
Error("neutral non-recursive query was refused, are you on a vpn or dirty box?")
}
Success("neutral non-recursive test query succeeded")
Valid, Recursive = ParseNS(Nameservers)
Info(fmt.Sprintf("%d/%d nameservers are recursive", len(Recursive), len(Valid)))
if len(Valid) == 0 {
Fatal("no valid nameservers available")
}
}
func Query(q <-chan Pair, tracker chan<- interface{}, delay int) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Found = true
fmt.Printf("[%s] associated domain %s found on %s\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver)
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func QueryRA(q <-chan Pair, tracker chan<- interface{}, delay int) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, true)
for x := 0; x < 3; x++ {
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
Error("hiccup on " + pair.Nameserver + " retrying...")
time.Sleep(1 * time.Second)
continue
}
if len(in.Answer) > 0 {
Found = true
if in.Answer[0].Header().Ttl != Domains[pair.Domain].TTL {
fmt.Printf("[%s] associated domain %s found on %s with mismatched TTL of %d\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver, in.Answer[0].Header().Ttl)
}
break
}
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func Run(ra bool, threads, delay int) {
pairs := make(chan Pair)
tracker := make(chan interface{})
if !ra {
// non-recursive snoop
Info(fmt.Sprintf("non-recursive snooping on %d resolvers...\n", len(Valid)))
go func() {
for i := 0; i < threads; i++ {
Query(pairs, tracker, delay)
}
}()
for _, ns := range Valid {
for k, _ := range Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
} else {
Info(fmt.Sprintf("recursively snooping on %d resolvers...\n", len(Recursive)))
go func() {
for i := 0; i < threads; i++ {
QueryRA(pairs, tracker, delay)
}
}()
for _, ns := range Recursive {
for k, _ := range Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
}
for x := 0; x < threads; x++ {
<-tracker
}
}

96
common/exec.go Normal file
View File

@ -0,0 +1,96 @@
package common
import (
"fmt"
"os"
)
func scan(nameservers []Nameserver, threads, delay int, recursive, single bool) {
queries := make(chan Query)
tab := make(chan interface{})
if !recursive {
Info(fmt.Sprintf("performing non-recursive lookups against %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQuery(queries, tab, delay)
}
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
Warn("recursive snooping can only be done once, as it populates the nameserver's cache")
Info(fmt.Sprintf("recursively snooping on %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQueryRA(queries, tab, delay)
}
if !single {
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: nameservers[0].Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
}
close(queries)
}
func Takeoff(nameservers []Nameserver) {
var nonrns, rns []Nameserver
for _, ns := range nameservers {
if ns.Recursive {
rns = append(rns, ns)
}
if ns.NonRA {
nonrns = append(nonrns, ns)
}
}
if len(nonrns) == 0 && len(rns) == 0 {
Fatal("no valid nameservers available for probing, they may be down or they don't like your IP")
}
recursive := false
for {
if !recursive {
if len(nonrns) > 0 {
scan(nonrns, Params.Threads, Params.Delay, false, false)
} else {
for {
Info(fmt.Sprintf("non-recursive lookups not viable on these servers, perform recursive snooping? %s(less reliable, can only be done once per server)%s",
ColorRed, ColorReset))
fmt.Printf("%s `--(y/n):%s ", ColorCyan, ColorReset)
var input string
fmt.Scanln(&input)
if input == "y" {
recursive = true
break
}
if input == "n" {
os.Exit(0)
}
}
continue
}
} else {
autodetected := Params.Domain != "" && len(Params.Nservers) == 0
scan(rns, Params.Threads, Params.Delay, true, autodetected)
}
}
}

69
common/io.go Normal file
View File

@ -0,0 +1,69 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
ColorWhite = "\033[97m"
)
func Usage() {
Banner()
fmt.Printf(`
usage:
%s!%s d | target fqdn (not recommended)
%s!%s n | nameserver to query (can be specified multiple times)
v | enable verbosity %s[false]%s
t | threads %s[5]%s
s | delay between requests in milliseconds, per thread %s[250]%s
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
`, ColorRed, ColorReset, ColorRed, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset)
}
func Banner() {
fmt.Fprintf(os.Stderr, `
_______
_/_ / ---' ____)____
_ __. / __/ __ , , , ___ ______)
/_)_(_/|_<__(_/_(_)(_(_/_/ <_ _______)
/ _______)
' ---.__________)
`)
}
func Success(msg string) {
fmt.Printf("%s[+]%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf("%s[i]%s %s\n", ColorCyan, ColorReset, msg)
}
func Warn(msg string) {
fmt.Printf("%s[!]%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf("%s[x]%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf("%s[f]%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

140
common/net.go Normal file
View File

@ -0,0 +1,140 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Query struct {
Nameserver string
Vendor string
DomainPair Pair
}
type Nameserver struct {
Nameserver string
NonRA bool
Recursive bool
}
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{
Name: dns.Fqdn(domain),
Qtype: reqtype,
Qclass: dns.ClassINET,
}
return msg
}
func ParseNS(nameservers []string) []Nameserver {
var valid []Nameserver
msg := message("cloudflare.com", dns.TypeA, false)
for _, ns := range nameservers {
nonra, ra := false, false
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error(fmt.Sprintf("nameserver %s%s%s is not responding to the trial query", ColorGray, ns[0:len(ns)-1], ColorReset))
continue
}
if in.Rcode == dns.RcodeRefused {
Warn(fmt.Sprintf("nameserver %s%s%s refused the trial non-recursive query", ColorGray, ns[0:len(ns)-1], ColorReset))
} else {
Success(fmt.Sprintf("nameserver %s%s%s allows non-recursive queries", ColorGray, ns[0:len(ns)-1], ColorReset))
nonra = true
}
if in.RecursionAvailable {
Success(fmt.Sprintf("nameserver %s%s%s allows recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
ra = true
} else {
Warn(fmt.Sprintf("nameserver %s%s%s does not allow recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
}
valid = append(valid, Nameserver{Nameserver: ns, NonRA: nonra, Recursive: ra})
}
return valid
}
func NeutralReq() bool {
msg := message("supernets.org", dns.TypeA, true)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) []string {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
nameservers := []string{}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
return nameservers
}
func RunQuery(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
msg := message(qdata.DomainPair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset))
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func RunQueryRA(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("recursively querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
for x := 0; x < 2; x++ {
msg := message(qdata.DomainPair.Domain, dns.TypeA, true)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error("hiccup on " + qdata.Nameserver[0:len(qdata.Nameserver)-1] + " while querying " + qdata.DomainPair.Domain)
time.Sleep(2 * time.Second)
continue
}
if len(in.Answer) > 0 {
if in.Answer[0].Header().Ttl <= qdata.DomainPair.TTL-4 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s with decremented TTL of %s%d%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset, ColorGreen, in.Answer[0].Header().Ttl, ColorReset))
}
}
break
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}

829
common/ref.go
View File

@ -1,358 +1,483 @@
package common package common
type DomInfo struct { import "fmt"
Vendor string
type Pair struct {
Domain string
TTL uint32 TTL uint32
} }
var Domains = map[string]DomInfo{ var Vendors = map[string][]Pair{
// Microsoft Defender for Endpoint fmt.Sprintf("%sMicrosoft Defender for Endpoint%s", ColorCyan, ColorReset): domains_microsoft,
// https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls fmt.Sprintf("%sVMWare%s Carbon Black%s", ColorCyan, ColorGray, ColorReset): domains_carbonblack,
"download.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic fmt.Sprintf("%sCrowdStrike Falcon%s", ColorRed, ColorReset): domains_crowdstrike,
"go.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1600}, // dynamic fmt.Sprintf("%sCheck Point Harmony%s", ColorPurple, ColorReset): domains_checkpoint,
"security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, fmt.Sprintf("%sCybereason%s", ColorYellow, ColorReset): domains_cybereason,
"settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic fmt.Sprintf("%sTrellix%s", ColorCyan, ColorReset): domains_trellix,
"windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, fmt.Sprintf("%sCortex XDR%s", ColorOrange, ColorReset): domains_paloalto,
"ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1800}, fmt.Sprintf("%sSentinelOne Singularity%s", ColorPurple, ColorReset): domains_sentinelone,
"wdcp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, fmt.Sprintf("%sSymantec Endpoint Security%s", ColorYellow, ColorReset): domains_symantec,
"wd.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, fmt.Sprintf("%sTanium%s", ColorRed, ColorReset): domains_tanium,
"wdcpalt.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, fmt.Sprintf("%sNextron%s Aurora%s", ColorCyan, ColorGreen, ColorReset): domains_aurora,
"checkappexec.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, fmt.Sprintf("%sTrend Micro Endpoint Sensor%s", ColorRed, ColorReset): domains_trendmicro,
"smartscreen-prod.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, fmt.Sprintf("%sRapid7%s InsightIDR", ColorOrange, ColorReset): domains_rapid7,
"vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120}, }
"update.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"download.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, // Microsoft Defender for Endpoint
"definitionupdates.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, // https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
"delivery.mp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, var domains_microsoft = []Pair{
"fe3cr.delivery.mp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, {"download.microsoft.com", 3600}, // not certain
"ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"go.microsoft.com", 3600}, // not certain
"ussus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"security.microsoft.com", 3600},
"wsus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"settings-win.data.microsoft.com", 3600}, // not certain
"wseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"windowsupdate.com", 300},
"wsus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"ctldl.windowsupdate.com", 3600}, // not certain
"ussus3westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"wdcp.microsoft.com", 3600},
"wsus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"wd.microsoft.com", 300},
"wsuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"wdcpalt.microsoft.com", 3600},
"ussus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"checkappexec.microsoft.com", 3600}, // not certain
"usseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"smartscreen-prod.microsoft.com", 3600},
"wsus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"vortex-win.data.microsoft.com", 120},
"usseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"update.microsoft.com", 3600}, // not certain
"ussus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"download.windowsupdate.com", 3600}, // not certain
"ussuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"definitionupdates.microsoft.com", 3600},
"ussus4eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, // {"delivery.mp.microsoft.com", 0},
"wseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, // {"fe3cr.delivery.mp.microsoft.com", 0},
"ussuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"ussus2westprod.blob.core.windows.net", 60},
"ussus3eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"ussus1westprod.blob.core.windows.net", 60},
"ussus4westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"wsus2westprod.blob.core.windows.net", 60},
"wsuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, {"wseu1northprod.blob.core.windows.net", 60},
{"wsus2eastprod.blob.core.windows.net", 60},
// VMWare Carbon Black {"ussus3westprod.blob.core.windows.net", 60},
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls {"wsus1eastprod.blob.core.windows.net", 60},
"defense-prod05.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"wsuk1westprod.blob.core.windows.net", 60},
"console.cloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"ussus2eastprod.blob.core.windows.net", 60},
"updates2.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"usseu1northprod.blob.core.windows.net", 60},
"dashboard.confer.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, {"wsus1westprod.blob.core.windows.net", 60},
"console.cloud-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, {"usseu1westprod.blob.core.windows.net", 60},
"ew2.carbonblackcloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, {"ussus1eastprod.blob.core.windows.net", 60},
"defense.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"ussuk1westprod.blob.core.windows.net", 60},
"carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"ussus4eastprod.blob.core.windows.net", 60},
"carbonblack.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600}, {"wseu1westprod.blob.core.windows.net", 60},
"defense-prodnrt.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"ussuk1southprod.blob.core.windows.net", 60},
"updates.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"ussus3eastprod.blob.core.windows.net", 60},
"gprd1usgw1.carbonblack-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600}, {"ussus4westprod.blob.core.windows.net", 60},
"defense-prodsyd.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, {"wsuk1southprod.blob.core.windows.net", 60},
"carbonblack.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, }
"defense-eap01.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"defense-eu.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, // VMWare Carbon Black
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
// CrowdStrike Falcon // https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/cb-edr-scm-guide/GUID-3117FB54-5D0F-46C1-8372-BF3784D27CFF.html
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements // restricted: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295
"falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, var domains_carbonblack = []Pair{
"falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"defense-prod05.conferdeploy.net", 60},
"ts01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"console.cloud.vmware.com", 60},
"us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 900}, {"updates2.cdc.carbonblack.io", 300},
"api.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300}, {"dashboard.confer.net", 300},
"ts01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"console.cloud-us-gov.vmware.com", 300},
"firehose.us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"ew2.carbonblackcloud.vmware.com", 30},
"assets.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, {"defense.conferdeploy.net", 60},
"api.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, {"carbonblack.io", 60},
"lfodown01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"carbonblack.vmware.com", 86400},
"assets-public.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"defense-prodnrt.conferdeploy.net", 60},
"assets.falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, {"updates.cdc.carbonblack.io", 60},
"api.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, {"gprd1usgw1.carbonblack-us-gov.vmware.com", 3600},
"assets-public.us-2.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, {"defense-prodsyd.conferdeploy.net", 60},
"firehose.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"carbonblack.com", 300},
"ts01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"defense-eap01.conferdeploy.net", 60},
"lfoup01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"defense-eu.conferdeploy.net", 60},
"assets-public.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, {"api.alliance.carbonblack.com", 600},
"crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300}, {"api2.alliance.carbonblack.com", 600},
"lfoup01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"threatintel.bit9.com", 3600},
"lfoup01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"yum.distro.carbonblack.io", 300},
"ts01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, }
"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"ts01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, // CrowdStrike Falcon
"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, // https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
"assets.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, var domains_crowdstrike = []Pair{
"lfodown01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"falcon.us-2.crowdstrike.com", 120},
"falcon.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"falcon.crowdstrike.com", 60},
"firehose.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, {"ts01-gyr-maverick.cloudsink.net", 60},
"firehose.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, // {"us-gov-2.crowdstrike.com", 0},
"lfodown01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"api.crowdstrike.com", 300},
"api.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"ts01-b.cloudsink.net", 1800},
"lfodown01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, // {"firehose.us-gov-2.crowdstrike.com", 0},
"lfodown01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, {"assets.falcon.eu-1.crowdstrike.com", 120},
"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"api.eu-1.crowdstrike.com", 60},
"firehose.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300}, {"lfodown01-b.cloudsink.net", 1800},
"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, {"assets-public.falcon.crowdstrike.com", 60},
{"assets.falcon.us-2.crowdstrike.com", 120},
// Harmony / CheckPoint {"api.us-2.crowdstrike.com", 120},
// https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590 {"assets-public.us-2.falcon.crowdstrike.com", 120},
"rep.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"firehose.laggar.gcw.crowdstrike.com", 60},
"threat-emulation.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"ts01-lanner-lion.cloudsink.net", 60},
"epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900}, {"lfoup01-lanner-lion.cloudsink.net", 1800},
"sc1.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"assets-public.falcon.eu-1.crowdstrike.com", 120},
"gwevents.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"crowdstrike.com", 300},
"gwevents.us.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 180}, {"lfoup01-gyr-maverick.cloudsink.net", 1800},
"endpoint-cdn.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, {"lfoup01-b.cloudsink.net", 1800},
"checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 39}, {"ts01-laggar-gcw.cloudsink.net", 60},
"iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900}, {"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com", 60},
"kav8.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"ts01-us-gov-2.cloudsink.net", 1800},
"cloudinfra-gw.portal.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, {"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com", 60},
"datatube-prod.azurewebsites.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 30}, {"assets.falcon.crowdstrike.com", 60},
"updates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"lfodown01-lanner-lion.cloudsink.net", 60},
"ep-repo.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, {"falcon.laggar.gcw.crowdstrike.com", 60},
"file-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, {"firehose.us-2.crowdstrike.com", 120},
"threatcloud.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, {"firehose.eu-1.crowdstrike.com", 120},
"dl3.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"lfodown01-laggar-gcw.cloudsink.net", 60},
"secureupdates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"api.laggar.gcw.crowdstrike.com", 60},
"epm-gw-eu.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 86400}, {"lfodown01-gyr-maverick.cloudsink.net", 60},
"url-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, {"lfodown01-us-gov-2.cloudsink.net", 1800},
"te.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, {"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com", 60},
"services.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, {"firehose.crowdstrike.com", 300},
"europe-west1-datatube-240519.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, {"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com", 60},
"cws.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, }
"teadv.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, // Harmony / CheckPoint
"te.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, // https://support.checkpoint.com/results/sk/sk116590
var domains_checkpoint = []Pair{
// Cybereason {"rep.checkpoint.com", 1800},
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html {"threat-emulation.checkpoint.com", 1800},
"data-epgw-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, {"sc1.checkpoint.com", 1800},
"probe-dist-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 60}, {"gwevents.checkpoint.com", 300},
"data-epgw-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, {"gwevents.us.checkpoint.com", 180},
"probe-dist.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, {"endpoint-cdn.epmgmt.checkpoint.com", 300},
"probe-dist-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, // {"checkpoint.com", 25}, <- dynamic ttl
"probe-dist-dns.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 3600}, {"kav8.checkpoint.com", 1800},
"data-epgw.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, {"cloudinfra-gw.portal.checkpoint.com", 60},
"cybereason.com": DomInfo{Vendor: "Cybereason", TTL: 300}, {"datatube-prod.azurewebsites.net", 30},
{"updates.checkpoint.com", 1800},
// FireEye / Trellix {"ep-repo.epmgmt.checkpoint.com", 300},
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878 {"file-rep.iaas.checkpoint.com", 60},
"manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 900}, {"threatcloud.iaas.checkpoint.com", 60},
"cds-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"dl3.checkpoint.com", 1800},
"sw-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"secureupdates.checkpoint.com", 1800},
"cdn-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"epm-gw-eu.epmgmt.checkpoint.com", 86400},
"sw-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"url-rep.iaas.checkpoint.com", 60},
"cdn-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"te.iaas.checkpoint.com", 60},
"cdn-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"services.checkpoint.com", 1800},
"auth.ui.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"europe-west1-datatube-240519.cloudfunctions.net", 300},
"uam.api.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"cws.checkpoint.com", 1800},
"api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"teadv.checkpoint.com", 1800},
"cds-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net", 300},
"trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"te.checkpoint.com", 1800},
"sw-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap2.epmgmt.checkpoint.com", 300},
"sw-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 300}, {"hap21.epmgmt.checkpoint.com", 300},
"dxlweb-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap5.epmgmt.checkpoint.com", 300},
"cds-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap51.epmgmt.checkpoint.com", 300},
"cdn-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap1.epmgmt.checkpoint.com", 300},
"dxlweb-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap11.epmgmt.checkpoint.com", 300},
"cdn-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap3.epmgmt.checkpoint.com", 300},
"dxl-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap31.epmgmt.checkpoint.com", 300},
"sw-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap4.epmgmt.checkpoint.com", 300},
"dxl-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"hap41.epmgmt.checkpoint.com", 300},
"dxlweb-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"ftp-proxy.checkpoint.com", 1800},
"cds-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"web-rep.checkpoint.com", 1800},
"cdn-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, }
"sw-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, // Cybereason
"dxlweb-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, // https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
"cdn-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, var domains_cybereason = []Pair{
"sw-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"data-epgw-eu-west-1.cybereason.net", 300},
"dxl-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"probe-dist-asia-northeast-1.cybereason.net", 60},
"dxl-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"data-epgw-asia-northeast-1.cybereason.net", 300},
"cdn-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, {"probe-dist.cybereason.net", 300},
"iam.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10}, {"probe-dist-eu-west-1.cybereason.net", 300},
"iam-rs.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10}, {"probe-dist-dns.cybereason.net", 3600},
"gsd.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10}, {"data-epgw.cybereason.net", 300},
{"cybereason.com", 600},
// Cortex XDR / Palo Alto Networks }
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
"panw-xdr-evr-prod-au.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, // FireEye / Trellix
"lrc-eu.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, // https://kcm.trellix.com/corporate/index?page=content&id=KB90878
"global-content-profiles-policy.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, var domains_trellix = []Pair{
"panw-xdr-evr-prod-uk.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"epo.trellix.com", 300},
"lrc-ch.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"s-download.trellix.com", 300},
"lrc-jp.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"lc.trellix.com", 300},
"panw-xdr-evr-prod-qt.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"manage.trellix.com", 60},
"panw-xdr-evr-prod-pl.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cds-usw001.manage.trellix.com", 60},
"pendo-static-5664029141630976.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cdn-usw002.manage.trellix.com", 60},
"panw-xdr-evr-prod-sg.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cdn-usw001.manage.trellix.com", 60},
"lrc-uk.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"cdn-usw003.manage.trellix.com", 60},
"lrc-us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"auth.ui.trellix.com", 60},
"lrc-tw.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 1800}, {"uam.api.trellix.com", 60},
"panw-xdr-evr-prod-eu.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"api.manage.trellix.com", 60},
"lrc-ca.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"cds-usw002.manage.trellix.com", 60},
"paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, {"trellix.com", 60},
"lrc-fa.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, {"dxlweb-usw001.manage.trellix.com", 60},
"panw-xdr-evr-prod-in.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cds-usw003.manage.trellix.com", 60},
"panw-xdr-evr-prod-fa.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cdn-sgp001.manage.trellix.com", 60},
"panw-xdr-evr-prod-ca.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxlweb-usw002.manage.trellix.com", 60},
"lrc-pl.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"cdn-ind001.manage.trellix.com", 60},
"lrc-qt.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxl-usw002.manage.trellix.com", 60},
"panw-xdr-evr-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxl-usw001.manage.trellix.com", 60},
"lrc-de.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxlweb-usw003.manage.trellix.com", 60},
"panw-xdr-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cds-usw004.manage.trellix.com", 60},
"panw-xdr-evr-prod-ch.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cdn-au001.manage.trellix.com", 60},
"lrc-in.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"dxlweb-usw004.manage.trellix.com", 60},
"panw-xdr-evr-prod-de.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"cdn-usw004.manage.trellix.com", 60},
"lrc-au.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"dxl-usw004.manage.trellix.com", 60},
"panw-xdr-evr-prod-tw.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxl-usw003.manage.trellix.com", 60},
"login.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"cdn-eu001.manage.trellix.com", 60},
"lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"iam.cloud.trellix.com", 10},
"panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"iam-rs.cloud.trellix.com", 10},
"panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"gsd.cloud.trellix.com", 10},
"distributions.traps.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"d2c-us-west-2.manage.trellix.com", 60},
"distributions-prod-fed.traps.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"d2c-eu-central-1.manage.trellix.com", 60},
"cortex-gateway.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, {"dxlweb-sgp001.manage.trellix.com", 60},
"gw-app-proxy.us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxl-sgp001.manage.trellix.com", 60},
"xdr-ova-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxl-eu001.manage.trellix.com", 60},
"identity.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxlweb-eu001.manage.trellix.com", 60},
"identity.gslb.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 5}, {"dxl-au001.manage.trellix.com", 60},
"identity.gcp.gslb.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 5}, {"dxlweb-au001.manage.trellix.com", 60},
"lrc-fed.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, {"dxl-ind001.manage.trellix.com", 60},
"panw-xdr-installers-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"dxlweb-ind001.manage.trellix.com", 60},
"panw-xdr-payloads-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"ui-usw001.manage.trellix.com", 60},
"global-content-profiles-policy-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"ui-usw002.manage.trellix.com", 60},
"panw-xdr-evr-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"ui-usw003.manage.trellix.com", 60},
"app-proxy.federal.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, {"ui-usw004.manage.trellix.com", 60},
{"ui-sgp001.manage.trellix.com", 60},
// Singularity / SentinelOne {"ui-eu001.manage.trellix.com", 60},
"eu1-oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ui-au001.manage.trellix.com", 60},
"eu1-qi.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ui-ind001.manage.trellix.com", 60},
"console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ah-usw001.manage.trellix.com", 60},
"sentinelone.com": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ah-usw002.manage.trellix.com", 60},
"eu1-console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ah-usw003.manage.trellix.com", 60},
"eu1-content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ah-usw004.manage.trellix.com", 60},
"panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ah-sgp001.manage.trellix.com", 60},
"oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ah-eu001.manage.trellix.com", 60},
"xdr.intus1.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 60}, {"ah-au001.manage.trellix.com", 60},
"eu1-device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"ah-ind001.manage.trellix.com", 60},
"eu1-vpc.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, }
"eu1-acceptor.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"login.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, // Cortex XDR / Palo Alto Networks
"device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, // https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
"eu1-panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, var domains_paloalto = []Pair{
"eu1-token.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"panw-xdr-evr-prod-au.storage.googleapis.com", 300},
"content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"lrc-eu.paloaltonetworks.com", 14400},
"ut.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, {"global-content-profiles-policy.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-uk.storage.googleapis.com", 300},
// Symantec / Broadcom {"lrc-ch.paloaltonetworks.com", 14400},
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html {"lrc-jp.paloaltonetworks.com", 14400},
"remotetunnel5.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, {"panw-xdr-evr-prod-qt.storage.googleapis.com", 300},
"remotetunnel1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, {"panw-xdr-evr-prod-pl.storage.googleapis.com", 300},
"remotetunnel3.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, {"pendo-static-5664029141630976.storage.googleapis.com", 300},
"bash-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"panw-xdr-evr-prod-sg.storage.googleapis.com", 300},
"remotetunnel2.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, {"lrc-uk.paloaltonetworks.com", 14400},
"central.b6.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"lrc-us.paloaltonetworks.com", 14400},
"stnd-ipsg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"lrc-tw.paloaltonetworks.com", 1800},
"datafeedapi.symanteccloud.com": DomInfo{Vendor: "Symantec", TTL: 300}, {"panw-xdr-evr-prod-eu.storage.googleapis.com", 300},
"stnd-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"lrc-ca.paloaltonetworks.com", 14400},
"shasta-rrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"paloaltonetworks.com", 30},
"remotetunnel4.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, // {"lrc-fa.paloaltonetworks.com", 14400},
"liveupdate.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"panw-xdr-evr-prod-in.storage.googleapis.com", 300},
"sso1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, {"panw-xdr-evr-prod-fa.storage.googleapis.com", 300},
"shasta-mrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"panw-xdr-evr-prod-ca.storage.googleapis.com", 300},
"telemetry.broadcom.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"lrc-pl.paloaltonetworks.com", 14400},
"ratings-wrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"lrc-qt.paloaltonetworks.com", 300},
"api-gateway.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"panw-xdr-evr-prod-us.storage.googleapis.com", 300},
"swupdate.brightmail.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"lrc-de.paloaltonetworks.com", 300},
"symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, {"panw-xdr-installers-prod-us.storage.googleapis.com", 300},
"licensing.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, {"panw-xdr-evr-prod-ch.storage.googleapis.com", 300},
"api.us.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 1800}, // could be wrong {"lrc-in.paloaltonetworks.com", 14400},
"api.eu.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 1800}, {"panw-xdr-evr-prod-de.storage.googleapis.com", 300},
{"lrc-au.paloaltonetworks.com", 14400},
// Tanium {"panw-xdr-evr-prod-tw.storage.googleapis.com", 300},
"docs-es.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, {"login.paloaltonetworks.com", 14400},
"prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, {"lrc-sg.paloaltonetworks.com", 14400},
"docs-ko.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, {"panw-xdr-evr-prod-jp.storage.googleapis.com", 300},
"tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, {"panw-xdr-payloads-prod-us.storage.googleapis.com", 300},
"prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, {"distributions.traps.paloaltonetworks.com", 300},
"shared.prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, {"distributions-prod-fed.traps.paloaltonetworks.com", 300},
"prd.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, {"cortex-gateway.paloaltonetworks.com", 30},
"jp.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, {"gw-app-proxy.us.paloaltonetworks.com", 300},
"docs-fr.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, {"xdr-ova-installers-prod-us.storage.googleapis.com", 300},
"shared.prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, {"identity.paloaltonetworks.com", 300},
"shared.prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, {"identity.gslb.paloaltonetworks.com", 5},
"prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, {"identity.gcp.gslb.paloaltonetworks.com", 5},
"prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, {"lrc-fed.paloaltonetworks.com", 14400},
"shared.prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, {"panw-xdr-installers-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-fr.storage.googleapis.com", 300},
// Aurora {"global-content-profiles-policy-prod-fr.storage.googleapis.com", 300},
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html {"panw-xdr-evr-prod-fr.storage.googleapis.com", 300},
"update-aurora.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, {"app-proxy.federal.paloaltonetworks.com", 300},
"update-102.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, }
"update-202.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-201.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, // Singularity / SentinelOne
"update-lite.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, var domains_sentinelone = []Pair{
{"eu1-oauth.mobile.sentinelone.net", 300},
// Trend Micro {"eu1-qi.mobile.sentinelone.net", 300},
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002 {"console.mobile.sentinelone.net", 300},
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/ {"sentinelone.com", 300},
"xdr.trendmicro.co.jp": DomInfo{Vendor: "Trend Micro", TTL: 60}, {"eu1-console.mobile.sentinelone.net", 300},
"files.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, {"eu1-content.mobile.sentinelone.net", 300},
"api.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, {"panel.mobile.sentinelone.net", 300},
"cloudone.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, {"oauth.mobile.sentinelone.net", 300},
"ddd53-p.activeupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, {"xdr.intus1.sentinelone.net", 60},
"trenddefense.com": DomInfo{Vendor: "Trend Micro", TTL: 300}, {"eu1-device-api.mobile.sentinelone.net", 300},
"threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, {"eu1-vpc.mobile.sentinelone.net", 300},
"api.sg.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, {"eu1-acceptor.mobile.sentinelone.net", 300},
"trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, {"login.sentinelone.net", 300},
"api.jp.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, {"device-api.mobile.sentinelone.net", 300},
"api.eu.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, {"eu1-panel.mobile.sentinelone.net", 300},
"docs.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, {"eu1-token.mobile.sentinelone.net", 300},
"api.us.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, {"content.mobile.sentinelone.net", 300},
"ddd53-threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, {"ut.sentinelone.net", 300},
"licenseupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, }
"xdr.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
// Symantec / Broadcom
// Rapid7 InsightIDR // https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/urls-to-whitelist-for-v129099891-d4155e9710.html
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr var domains_symantec = []Pair{
"data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 60}, {"liveupdate.symantec.com", 3600},
"us2.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30}, {"liveupdate.symantecliveupdate.com", 600},
"us3.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30}, {"shasta-rrs.symantec.com", 1800},
"eu.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30}, {"ent-shasta-rrs.symantec.com", 1800},
"ca.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30}, {"ent-shasta-mr-clean.symantec.com", 1800},
"au.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30}, {"symantec.com", 600},
"ap.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30}, {"sp.cwfservice.net", 600},
"endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300}, {"us.spoc.securitycloud.symantec.com", 600},
"us2.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300}, {"eu.spoc.securitycloud.symantec.com", 600},
"us3.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300}, {"in.spoc.securitycloud.symantec.com", 3600},
"eu.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300}, {"telemetry.broadcom.com", 3600},
"ca.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300}, {"tses.broadcom.com", 30},
"au.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300}, {"central.b6.crsi.symantec.com", 1800},
"ap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300}, {"central.ss.crsi.symantec.com", 1800},
"us.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"central.nrsi.symantec.com", 1800},
"us.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"central.avsi.symantec.com", 1800},
"us2.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"central.crsi.symantec.com", 1800},
"us2.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"shasta-mrs.symantec.com", 1800},
"us3.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"shasta-clt.symantec.com", 1800},
"us3.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"stnd-avpg.crsi.symantec.com", 1800},
"eu.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"avs-avpg.crsi.symantec.com", 1800},
"eu.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"stnd-ipsg.crsi.symantec.com ", 1800},
"ca.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"bash-avpg.crsi.symantec.com", 1800},
"ca.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"tus1gwynwapex01.symantec.com", 3600},
"au.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"pod.threatpulse.com", 120},
"au.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"faults.qalabs.symantec.com", 1800},
"ap.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"faults.symantec.com", 1800},
"ap.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400}, {"linux-repo-us.securityalliance.cloud", 86400},
{"usea1.r3.securitycloud.symantec.com", 3600},
{"euws1.r3.securitycloud.symantec.com", 3600},
{"inso1.r3.securitycloud.symantec.com", 3600},
{"datafeedapi.symanteccloud.com", 300},
{"us.spoc.securitycloud.symantec.com", 600},
{"eu.spoc.securitycloud.symantec.com ", 600},
{"in.spoc.securitycloud.symantec.com", 3600},
{"uploads.sep.securitycloud.symantec.com", 3600},
{"uploads.sep.eu.securitycloud.symantec.com ", 3600},
{"uploads.sep.in.securitycloud.symantec.com", 3600},
{"ws.securitycloud.symantec.com", 600},
{"bds.securitycloud.symantec.com", 600},
{"ws.eu.securitycloud.symantec.com", 3600},
{"bds.eu.securitycloud.symantec.com", 3600},
{"ws.in.securitycloud.symantec.com ", 3600},
{"bds.in.securitycloud.symantec.com", 3600},
{"cdn.sepmobile.securitycloud.symantec.com", 300},
{"mitm.sepmobile.securitycloud.symantec.com", 300},
{"services-prod.symantec.com", 600},
{"sep.securitycloud.symantec.com", 3600},
{"sep.eu.securitycloud.symantec.com", 3600},
{"sep.in.securitycloud.symantec.com", 3600},
{"avagoext.okta.com", 300},
{"accounts.saas.broadcomcloud.com", 3600},
{"api.sep.securitycloud.symantec.com", 86400},
{"api.sep.eu.securitycloud.symantec.com", 3600},
{"api.sep.in.securitycloud.symantec.com", 3600},
{"knowledge.broadcom.com", 3600},
{"support.broadcom.com", 300},
{"casupport.broadcom.com", 300},
{"login.broadcom.com", 3600},
{"ced.broadcom.com", 3600},
{"ratings-wrs.symantec.com", 3600},
{"api-gateway.symantec.com", 3600},
{"swupdate.brightmail.com", 3600},
{"licensing.dmas.symantec.com", 3600},
{"api.us.dmas.symantec.com", 300},
{"api.eu.dmas.symantec.com", 300},
}
// Tanium
var domains_tanium = []Pair{
{"content.tanium.com", 300},
{"docs-es.tanium.com", 300},
{"docs-fr.tanium.com", 300},
{"tanium.com", 300},
{"go2.tanium.com", 300},
{"learn.tanium.com", 300},
{"som.cloud.tanium.com", 60},
{"download.tanium.com", 300},
{"fnf-api.cloud.tanium.com", 60},
{"community.tanium.com", 300},
{"3.distribute.cloud.tanium.com", 300},
{"content.tanium.com", 300},
{"help.tanium.com", 300},
{"docs.tanium.com", 300},
{"moveit.tanium.com", 300},
{"kb.tanium.com", 300},
}
// Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
var domains_aurora = []Pair{
{"update-aurora.nextron-systems.com", 60},
{"update-102.nextron-systems.com", 60},
{"update-202.nextron-systems.com", 60},
{"update-201.nextron-systems.com", 60},
{"update-lite.nextron-systems.com", 60},
}
// Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
var domains_trendmicro = []Pair{
{"xdr.trendmicro.co.jp", 60},
{"files.trendmicro.com", 1800},
{"api.nacloud.trendmicro.com", 60},
{"cloudone.trendmicro.com", 60},
{"ddd53-p.activeupdate.trendmicro.com", 1800},
{"trenddefense.com", 300},
{"threatconnect.trendmicro.com", 1800},
{"api.sg.nacloud.trendmicro.com", 60},
{"trendmicro.com", 1800},
{"api.jp.nacloud.trendmicro.com", 60},
{"api.eu.nacloud.trendmicro.com", 60},
{"docs.trendmicro.com", 1800},
{"api.us.nacloud.trendmicro.com", 60},
{"ddd53-threatconnect.trendmicro.com", 1800},
{"licenseupdate.trendmicro.com", 1800},
{"xdr.trendmicro.com", 60},
}
// Rapid7 InsightIDR
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
var domains_rapid7 = []Pair{
{"data.insight.rapid7.com", 60},
{"us2.data.insight.rapid7.com", 30},
{"us3.data.insight.rapid7.com", 30},
{"eu.data.insight.rapid7.com", 30},
{"ca.data.insight.rapid7.com", 30},
{"au.data.insight.rapid7.com", 30},
{"ap.data.insight.rapid7.com", 30},
{"endpoint.ingress.rapid7.com", 300},
{"us2.endpoint.ingress.rapid7.com", 300},
{"us3.endpoint.ingress.rapid7.com", 300},
{"eu.endpoint.ingress.rapid7.com", 300},
{"ca.endpoint.ingress.rapid7.com", 300},
{"au.endpoint.ingress.rapid7.com", 300},
{"ap.endpoint.ingress.rapid7.com", 300},
{"us.storage.endpoint.ingress.rapid7.com", 86400},
{"us.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us2.storage.endpoint.ingress.rapid7.com", 86400},
{"us2.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us3.storage.endpoint.ingress.rapid7.com", 86400},
{"us3.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"eu.storage.endpoint.ingress.rapid7.com", 86400}, // not certain
{"eu.bootstrap.endpoint.ingress.rapid7.com", 86400}, // not certain
{"ca.storage.endpoint.ingress.rapid7.com", 86400},
{"ca.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"au.storage.endpoint.ingress.rapid7.com", 86400},
{"au.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"ap.storage.endpoint.ingress.rapid7.com", 86400},
{"ap.bootstrap.endpoint.ingress.rapid7.com", 86400},
} }

14
go.mod
View File

@ -1,11 +1,13 @@
module patdown module patdown
go 1.21.0 go 1.22.6
require github.com/miekg/dns v1.1.62
require ( require (
github.com/miekg/dns v1.1.57 // indirect golang.org/x/mod v0.18.0 // indirect
golang.org/x/mod v0.12.0 // indirect golang.org/x/net v0.27.0 // indirect
golang.org/x/net v0.17.0 // indirect golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.13.0 // indirect golang.org/x/sys v0.22.0 // indirect
golang.org/x/tools v0.13.0 // indirect golang.org/x/tools v0.22.0 // indirect
) )

22
go.sum
View File

@ -1,10 +1,12 @@
github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=