Compare commits

..

No commits in common. "main" and "v1.0" have entirely different histories.
main ... v1.0

10 changed files with 510 additions and 909 deletions

View File

@ -1,63 +1,6 @@
# patdown # patdown
> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
> Remotely predicts and identifies the presence of EDR/XDR solutions on networks
<p align="center"> <p align="center">
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text"> <img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
</p> </p>
## Abstract
patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
## Installation
Retrieve a binary corresponding to your architecture from **Releases**
*or*
`git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
## Usage
```
d | target fqdn (not as reliable, prone to false positives)
n | nameserver to query (can be specified multiple times)
v | enable verbosity [false]
t | threads [5]
s | delay between requests in milliseconds, per thread [250]
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
```
## Currently Identified Vendors/Solutions:
- [x] **CrowdStrike** Falcon
- [x] **Microsoft** Defender for Endpoint
- [x] **VMWare** Carbon Black
- [x] **Check Point** Harmony
- [x] **Cybereason** EDR
- [x] **Trellix** EDR
- [x] **Palo Alto Networks** Cortex XDR
- [x] **SentinelOne** Singularity
- [x] **Symantec** Endpoint Security
- [x] **Tanium** EDR
- [x] **Nextron** Aurora
- [x] **Trend Micro** Endpoint Sensor
- [x] **Rapid7** InsightIDR
- [ ] **ESET** Inspect
- [ ] **Harfanglab** EDR
- [ ] **Limacharlie** EDR
- [ ] **Elastic** Security
- [ ] **Qualys** EDR
- [ ] **Uptycs** XDR
- [ ] **WatchGuard** EDR

View File

@ -1,36 +1,151 @@
package main package main
import ( import (
"flag"
"fmt" "fmt"
"time"
"patdown/common" "patdown/common"
"github.com/miekg/dns"
) )
type multiflag []string
type Pair struct {
Nameserver string
Domain string
}
func (m *multiflag) String() string {
return "irc.supernets.org #superbowl"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
var (
domain = flag.String("t", "", "")
workers = flag.Int("c", 100, "")
delay = flag.Int("s", 100, "")
nameserver multiflag
)
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
return msg
}
func query(q <-chan Pair, tracker chan<- interface{}) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
common.Error(err.Error())
continue
}
if len(in.Answer) > 0 {
fmt.Printf("[%s] associated domain %s found on %s\n", common.Vendors[common.Domains[pair.Domain]], pair.Domain, pair.Nameserver)
}
time.Sleep(time.Duration(*delay) * time.Millisecond)
}
tracker <- 1337
}
func testns(ns string) error {
msg := message("supernets.org", dns.TypeA, false)
_, err := dns.Exchange(msg, ns+":53")
if err != nil {
return err
}
return nil
}
func testreq() bool {
msg := message("cloudflare.com", dns.TypeA, false)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func main() { func main() {
common.LoadArgs() flag.Var(&nameserver, "n", "nameserver to query")
var servers []string flag.Usage = common.Usage
flag.Parse()
var nameservers []string
pairs := make(chan Pair)
tracker := make(chan interface{})
common.Banner() common.Banner()
autodetect := common.Params.Domain != "" if *domain != "" {
if autodetect { // query domain for nameservers
if servers = common.PullNS(common.Params.Domain); len(servers) == 0 { nsmsg := message(*domain, dns.TypeNS, true)
common.Fatal("no nameservers found for " + common.Params.Domain) in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
panic(err)
}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
} else if len(nameserver) > 0 {
for _, ns := range nameserver {
nameservers = append(nameservers, ns)
} }
common.Info(fmt.Sprintf("retrieved %s%d%s nameservers for %s", common.ColorGreen, len(servers), common.ColorReset, common.Params.Domain))
} else if len(common.Params.Nservers) > 0 {
servers = common.Params.Nservers
} else { } else {
common.Fatal("provide a domain or nameservers to target") // print usage
common.Usage()
return
} }
if !common.NeutralReq() { if !testreq() {
common.Fatal("neutral dns check failed, are you on a dirty box or vpn?") common.Fatal("non-recursive queries are being refused, are you on a very dirty box or VPN?")
} }
valid := common.ParseNS(servers) common.Info("aggregating nameservers...")
if len(valid) == 0 {
common.Fatal("no servers responded to trial probes, they're either down or they don't like your IP") for i, ns := range nameservers {
if err := testns(ns); err != nil {
common.Error("nameserver " + ns + " is not responding")
nameservers = append(nameservers[:i], nameservers[i+1:]...)
}
} }
common.Takeoff(valid) common.Info(fmt.Sprintf("snooping caches on %d resolvers...", len(nameservers)))
go func() {
for i := 0; i < *workers; i++ {
query(pairs, tracker)
}
}()
for _, ns := range nameservers {
for k, _ := range common.Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
for x := 0; x < *workers; x++ {
<-tracker
}
} }

View File

@ -1,39 +0,0 @@
package common
import "flag"
type multiflag []string
type Config struct {
Domain string
Threads int
Delay int
Nservers []string
Verbose bool
}
var (
domain = flag.String("d", "", "")
workers = flag.Int("t", 5, "")
delay = flag.Int("s", 250, "")
verbose = flag.Bool("v", false, "")
nsarg multiflag
Params Config
)
func (m *multiflag) String() string {
return "front page maximum wage"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
func LoadArgs() {
flag.Var(&nsarg, "n", "")
flag.Usage = Usage
flag.Parse()
Params = Config{Domain: *domain, Threads: *workers, Delay: *delay, Nservers: nsarg, Verbose: *verbose}
}

87
common/console.go Normal file
View File

@ -0,0 +1,87 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
)
func Banner() {
fmt.Printf(`%s
.------..------..------..------..------..------..------.
|%s%sP%s%s.--. ||%s%sA%s%s.--. ||%s%sT%s%s.--. ||%s%sD%s%s.--. ||%s%sO%s%s.--. ||%s%sW%s%s.--. ||%s%sN%s%s.--. |
| :/\: || (\/) || :/\: || :/\: || :/\: || :/\: || :(): |
| (__) || :\/: || (__) || (__) || :\/: || :\/: || ()() |
| '--'P|| '--'A|| '--'T|| '--'D|| '--'O|| '--'W|| '--'N|
'------''------''------''------''------''------''------'
%s%s sincerely,
~ delorean%s
`, ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset)
}
func Usage() {
fmt.Fprintf(os.Stderr, `patdown usage:
(%s-t%s) - target domain
(%s-n%s) - specific nameserver to snoop, can be multiple
(%s-c%s) - concurrent threads [%s100%s]
(%s-s%s) - delay between queries, per thread, in milliseconds [%s100%s]
%se.g.%s
patdown -t supernets.org
patdown -n ns1.supernets.org -n ns2.supernets.org
patdown -t supernets.org -c 50 -s 500
`, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset)
}
var Vendors = map[string]string{
"Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m",
"VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m",
"CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m",
"CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m",
"Cybereason": "\033[93mCybereason\033[0m",
"Trellix": "\033[32mTrellix\033[0m",
"Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m",
"SentinelOne": "\033[35mSentinelOne\033[0m",
"Symantec": "\033[93mSymantec\033[0m",
"Tanium": "\033[31mTanium\033[0m",
"Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m",
"Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m",
}
func Success(msg string) {
fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg)
}
func Warning(msg string) {
fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

View File

@ -1,96 +0,0 @@
package common
import (
"fmt"
"os"
)
func scan(nameservers []Nameserver, threads, delay int, recursive, single bool) {
queries := make(chan Query)
tab := make(chan interface{})
if !recursive {
Info(fmt.Sprintf("performing non-recursive lookups against %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQuery(queries, tab, delay)
}
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
Warn("recursive snooping can only be done once, as it populates the nameserver's cache")
Info(fmt.Sprintf("recursively snooping on %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQueryRA(queries, tab, delay)
}
if !single {
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: nameservers[0].Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
}
close(queries)
}
func Takeoff(nameservers []Nameserver) {
var nonrns, rns []Nameserver
for _, ns := range nameservers {
if ns.Recursive {
rns = append(rns, ns)
}
if ns.NonRA {
nonrns = append(nonrns, ns)
}
}
if len(nonrns) == 0 && len(rns) == 0 {
Fatal("no valid nameservers available for probing, they may be down or they don't like your IP")
}
recursive := false
for {
if !recursive {
if len(nonrns) > 0 {
scan(nonrns, Params.Threads, Params.Delay, false, false)
} else {
for {
Info(fmt.Sprintf("non-recursive lookups not viable on these servers, perform recursive snooping? %s(less reliable, can only be done once per server)%s",
ColorRed, ColorReset))
fmt.Printf("%s `--(y/n):%s ", ColorCyan, ColorReset)
var input string
fmt.Scanln(&input)
if input == "y" {
recursive = true
break
}
if input == "n" {
os.Exit(0)
}
}
continue
}
} else {
autodetected := Params.Domain != "" && len(Params.Nservers) == 0
scan(rns, Params.Threads, Params.Delay, true, autodetected)
}
}
}

View File

@ -1,69 +0,0 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
ColorWhite = "\033[97m"
)
func Usage() {
Banner()
fmt.Printf(`
usage:
%s!%s d | target fqdn (not recommended)
%s!%s n | nameserver to query (can be specified multiple times)
v | enable verbosity %s[false]%s
t | threads %s[5]%s
s | delay between requests in milliseconds, per thread %s[250]%s
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
`, ColorRed, ColorReset, ColorRed, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset)
}
func Banner() {
fmt.Fprintf(os.Stderr, `
_______
_/_ / ---' ____)____
_ __. / __/ __ , , , ___ ______)
/_)_(_/|_<__(_/_(_)(_(_/_/ <_ _______)
/ _______)
' ---.__________)
`)
}
func Success(msg string) {
fmt.Printf("%s[+]%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf("%s[i]%s %s\n", ColorCyan, ColorReset, msg)
}
func Warn(msg string) {
fmt.Printf("%s[!]%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf("%s[x]%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf("%s[f]%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

View File

@ -1,140 +0,0 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Query struct {
Nameserver string
Vendor string
DomainPair Pair
}
type Nameserver struct {
Nameserver string
NonRA bool
Recursive bool
}
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{
Name: dns.Fqdn(domain),
Qtype: reqtype,
Qclass: dns.ClassINET,
}
return msg
}
func ParseNS(nameservers []string) []Nameserver {
var valid []Nameserver
msg := message("cloudflare.com", dns.TypeA, false)
for _, ns := range nameservers {
nonra, ra := false, false
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error(fmt.Sprintf("nameserver %s%s%s is not responding to the trial query", ColorGray, ns[0:len(ns)-1], ColorReset))
continue
}
if in.Rcode == dns.RcodeRefused {
Warn(fmt.Sprintf("nameserver %s%s%s refused the trial non-recursive query", ColorGray, ns[0:len(ns)-1], ColorReset))
} else {
Success(fmt.Sprintf("nameserver %s%s%s allows non-recursive queries", ColorGray, ns[0:len(ns)-1], ColorReset))
nonra = true
}
if in.RecursionAvailable {
Success(fmt.Sprintf("nameserver %s%s%s allows recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
ra = true
} else {
Warn(fmt.Sprintf("nameserver %s%s%s does not allow recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
}
valid = append(valid, Nameserver{Nameserver: ns, NonRA: nonra, Recursive: ra})
}
return valid
}
func NeutralReq() bool {
msg := message("supernets.org", dns.TypeA, true)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) []string {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
nameservers := []string{}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
return nameservers
}
func RunQuery(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
msg := message(qdata.DomainPair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset))
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func RunQueryRA(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("recursively querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
for x := 0; x < 2; x++ {
msg := message(qdata.DomainPair.Domain, dns.TypeA, true)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error("hiccup on " + qdata.Nameserver[0:len(qdata.Nameserver)-1] + " while querying " + qdata.DomainPair.Domain)
time.Sleep(2 * time.Second)
continue
}
if len(in.Answer) > 0 {
if in.Answer[0].Header().Ttl <= qdata.DomainPair.TTL-4 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s with decremented TTL of %s%d%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset, ColorGreen, in.Answer[0].Header().Ttl, ColorReset))
}
}
break
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}

View File

@ -1,483 +1,287 @@
package common package common
import "fmt" var Domains = map[string]string{
type Pair struct {
Domain string
TTL uint32
}
var Vendors = map[string][]Pair{
fmt.Sprintf("%sMicrosoft Defender for Endpoint%s", ColorCyan, ColorReset): domains_microsoft,
fmt.Sprintf("%sVMWare%s Carbon Black%s", ColorCyan, ColorGray, ColorReset): domains_carbonblack,
fmt.Sprintf("%sCrowdStrike Falcon%s", ColorRed, ColorReset): domains_crowdstrike,
fmt.Sprintf("%sCheck Point Harmony%s", ColorPurple, ColorReset): domains_checkpoint,
fmt.Sprintf("%sCybereason%s", ColorYellow, ColorReset): domains_cybereason,
fmt.Sprintf("%sTrellix%s", ColorCyan, ColorReset): domains_trellix,
fmt.Sprintf("%sCortex XDR%s", ColorOrange, ColorReset): domains_paloalto,
fmt.Sprintf("%sSentinelOne Singularity%s", ColorPurple, ColorReset): domains_sentinelone,
fmt.Sprintf("%sSymantec Endpoint Security%s", ColorYellow, ColorReset): domains_symantec,
fmt.Sprintf("%sTanium%s", ColorRed, ColorReset): domains_tanium,
fmt.Sprintf("%sNextron%s Aurora%s", ColorCyan, ColorGreen, ColorReset): domains_aurora,
fmt.Sprintf("%sTrend Micro Endpoint Sensor%s", ColorRed, ColorReset): domains_trendmicro,
fmt.Sprintf("%sRapid7%s InsightIDR", ColorOrange, ColorReset): domains_rapid7,
}
// Microsoft Defender for Endpoint // Microsoft Defender for Endpoint
//https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls //https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
var domains_microsoft = []Pair{ "security.microsoft.com": "Microsoft Defender for Endpoint",
{"download.microsoft.com", 3600}, // not certain "download.microsoft.com": "Microsoft Defender for Endpoint",
{"go.microsoft.com", 3600}, // not certain "ussus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"security.microsoft.com", 3600}, "ussus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"settings-win.data.microsoft.com", 3600}, // not certain "ussus3eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"windowsupdate.com", 300}, "ussus4eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"ctldl.windowsupdate.com", 3600}, // not certain "wsus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"wdcp.microsoft.com", 3600}, "wsus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"wd.microsoft.com", 300}, "ussus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"wdcpalt.microsoft.com", 3600}, "ussus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"checkappexec.microsoft.com", 3600}, // not certain "ussus3westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"smartscreen-prod.microsoft.com", 3600}, "ussus4westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"vortex-win.data.microsoft.com", 120}, "wsus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"update.microsoft.com", 3600}, // not certain "wsus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"download.windowsupdate.com", 3600}, // not certain "usseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"definitionupdates.microsoft.com", 3600}, "wseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
// {"delivery.mp.microsoft.com", 0}, "usseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
// {"fe3cr.delivery.mp.microsoft.com", 0}, "wseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"ussus2westprod.blob.core.windows.net", 60}, "ussuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"ussus1westprod.blob.core.windows.net", 60}, "wsuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"wsus2westprod.blob.core.windows.net", 60}, "ussuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"wseu1northprod.blob.core.windows.net", 60}, "wsuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
{"wsus2eastprod.blob.core.windows.net", 60}, "settings-win.data.microsoft.com": "Microsoft Defender for Endpoint",
{"ussus3westprod.blob.core.windows.net", 60}, "vortex-win.data.microsoft.com": "Microsoft Defender for Endpoint",
{"wsus1eastprod.blob.core.windows.net", 60}, "go.microsoft.com": "Microsoft Defender for Endpoint",
{"wsuk1westprod.blob.core.windows.net", 60}, "ctldl.windowsupdate.com": "Microsoft Defender for Endpoint",
{"ussus2eastprod.blob.core.windows.net", 60}, "windowsupdate.com": "Microsoft Defender for Endpoint",
{"usseu1northprod.blob.core.windows.net", 60},
{"wsus1westprod.blob.core.windows.net", 60},
{"usseu1westprod.blob.core.windows.net", 60},
{"ussus1eastprod.blob.core.windows.net", 60},
{"ussuk1westprod.blob.core.windows.net", 60},
{"ussus4eastprod.blob.core.windows.net", 60},
{"wseu1westprod.blob.core.windows.net", 60},
{"ussuk1southprod.blob.core.windows.net", 60},
{"ussus3eastprod.blob.core.windows.net", 60},
{"ussus4westprod.blob.core.windows.net", 60},
{"wsuk1southprod.blob.core.windows.net", 60},
}
// VMWare Carbon Black // VMWare Carbon Black
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls // https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
// https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/cb-edr-scm-guide/GUID-3117FB54-5D0F-46C1-8372-BF3784D27CFF.html "carbonblack.com": "VMWare Carbon Black",
// restricted: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295 "carbonblack.io": "VMWare Carbon Black",
var domains_carbonblack = []Pair{ "defense-eap01.conferdeploy.net": "VMWare Carbon Black",
{"defense-prod05.conferdeploy.net", 60}, "dashboard.confer.net": "VMWare Carbon Black",
{"console.cloud.vmware.com", 60}, "defense.conferdeploy.net": "VMWare Carbon Black",
{"updates2.cdc.carbonblack.io", 300}, "defense-prod05.conferdeploy.net": "VMWare Carbon Black",
{"dashboard.confer.net", 300}, "defense-eu.conferdeploy.net": "VMWare Carbon Black",
{"console.cloud-us-gov.vmware.com", 300}, "defense-prodnrt.conferdeploy.net": "VMWare Carbon Black",
{"ew2.carbonblackcloud.vmware.com", 30}, "defense-prodsyd.conferdeploy.net": "VMWare Carbon Black",
{"defense.conferdeploy.net", 60}, "ew2.carbonblackcloud.vmware.com": "VMWare Carbon Black",
{"carbonblack.io", 60}, "gprd1usgw1.carbonblack-us-gov.vmware.com": "VMWare Carbon Black",
{"carbonblack.vmware.com", 86400}, "updates.cdc.carbonblack.io": "VMWare Carbon Black",
{"defense-prodnrt.conferdeploy.net", 60}, "updates2.cdc.carbonblack.io": "VMWare Carbon Black",
{"updates.cdc.carbonblack.io", 60}, "carbonblack.vmware.com": "VMWare Carbon Black",
{"gprd1usgw1.carbonblack-us-gov.vmware.com", 3600}, "console.cloud-us-gov.vmware.com": "VMWare Carbon Black",
{"defense-prodsyd.conferdeploy.net", 60}, "console.cloud.vmware.com": "VMWare Carbon Black",
{"carbonblack.com", 300},
{"defense-eap01.conferdeploy.net", 60},
{"defense-eu.conferdeploy.net", 60},
{"api.alliance.carbonblack.com", 600},
{"api2.alliance.carbonblack.com", 600},
{"threatintel.bit9.com", 3600},
{"yum.distro.carbonblack.io", 300},
}
// CrowdStrike Falcon // CrowdStrike Falcon
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements // https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
var domains_crowdstrike = []Pair{ "crowdstrike.com": "CrowdStrike Falcon",
{"falcon.us-2.crowdstrike.com", 120}, "ts01-b.cloudsink.net": "CrowdStrike Falcon",
{"falcon.crowdstrike.com", 60}, "lfodown01-b.cloudsink.net": "CrowdStrike Falcon",
{"ts01-gyr-maverick.cloudsink.net", 60}, "lfoup01-b.cloudsink.net": "CrowdStrike Falcon",
// {"us-gov-2.crowdstrike.com", 0}, "falcon.crowdstrike.com": "CrowdStrike Falcon",
{"api.crowdstrike.com", 300}, "assets.falcon.crowdstrike.com": "CrowdStrike Falcon",
{"ts01-b.cloudsink.net", 1800}, "assets-public.falcon.crowdstrike.com": "CrowdStrike Falcon",
// {"firehose.us-gov-2.crowdstrike.com", 0}, "api.crowdstrike.com": "CrowdStrike Falcon",
{"assets.falcon.eu-1.crowdstrike.com", 120}, "firehose.crowdstrike.com": "CrowdStrike Falcon",
{"api.eu-1.crowdstrike.com", 60}, "ts01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
{"lfodown01-b.cloudsink.net", 1800}, "lfodown01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
{"assets-public.falcon.crowdstrike.com", 60}, "lfoup01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
{"assets.falcon.us-2.crowdstrike.com", 120}, "falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
{"api.us-2.crowdstrike.com", 120}, "assets.falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
{"assets-public.us-2.falcon.crowdstrike.com", 120}, "assets-public.us-2.falcon.crowdstrike.com": "CrowdStrike Falcon",
{"firehose.laggar.gcw.crowdstrike.com", 60}, "api.us-2.crowdstrike.com": "CrowdStrike Falcon",
{"ts01-lanner-lion.cloudsink.net", 60}, "firehose.us-2.crowdstrike.com": "CrowdStrike Falcon",
{"lfoup01-lanner-lion.cloudsink.net", 1800}, "ts01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
{"assets-public.falcon.eu-1.crowdstrike.com", 120}, "sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
{"crowdstrike.com", 300}, "lfodown01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
{"lfoup01-gyr-maverick.cloudsink.net", 1800}, "ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
{"lfoup01-b.cloudsink.net", 1800}, "falcon.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
{"ts01-laggar-gcw.cloudsink.net", 60}, "laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
{"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com", 60}, "api.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
{"ts01-us-gov-2.cloudsink.net", 1800}, "firehose.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
{"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com", 60}, "falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
{"assets.falcon.crowdstrike.com", 60}, "ts01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
{"lfodown01-lanner-lion.cloudsink.net", 60}, "lfodown01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
{"falcon.laggar.gcw.crowdstrike.com", 60}, "api.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
{"firehose.us-2.crowdstrike.com", 120}, "firehose.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
{"firehose.eu-1.crowdstrike.com", 120}, "ts01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
{"lfodown01-laggar-gcw.cloudsink.net", 60}, "lfodown01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
{"api.laggar.gcw.crowdstrike.com", 60}, "lfoup01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
{"lfodown01-gyr-maverick.cloudsink.net", 60}, "assets.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
{"lfodown01-us-gov-2.cloudsink.net", 1800}, "assets-public.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
{"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com", 60}, "api.eu-1.crowdstrike.com": "CrowdStrike Falcon",
{"firehose.crowdstrike.com", 300}, "firehose.eu-1.crowdstrike.com": "CrowdStrike Falcon",
{"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com", 60},
}
// Harmony / CheckPoint // Harmony / CheckPoint
// https://support.checkpoint.com/results/sk/sk116590 // https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590
var domains_checkpoint = []Pair{ "checkpoint.com": "CheckPoint Harmony",
{"rep.checkpoint.com", 1800}, "us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": "CheckPoint Harmony",
{"threat-emulation.checkpoint.com", 1800}, "europe-west1-datatube-240519.cloudfunctions.net": "CheckPoint Harmony",
{"sc1.checkpoint.com", 1800}, "datatube-prod.azurewebsites.net": "CheckPoint Harmony",
{"gwevents.checkpoint.com", 300}, "epmgmt.checkpoint.com": "CheckPoint Harmony",
{"gwevents.us.checkpoint.com", 180}, "endpoint-cdn.epmgmt.checkpoint.com": "CheckPoint Harmony",
{"endpoint-cdn.epmgmt.checkpoint.com", 300}, "ep-repo.epmgmt.checkpoint.com": "CheckPoint Harmony",
// {"checkpoint.com", 25}, <- dynamic ttl "epm-gw-eu.epmgmt.checkpoint.com": "CheckPoint Harmony",
{"kav8.checkpoint.com", 1800}, "file-rep.iaas.checkpoint.com": "CheckPoint Harmony",
{"cloudinfra-gw.portal.checkpoint.com", 60}, "url-rep.iaas.checkpoint.com": "CheckPoint Harmony",
{"datatube-prod.azurewebsites.net", 30}, "threatcloud.iaas.checkpoint.com": "CheckPoint Harmony",
{"updates.checkpoint.com", 1800}, "te.iaas.checkpoint.com": "CheckPoint Harmony",
{"ep-repo.epmgmt.checkpoint.com", 300}, "sba-data-collection.iaas.checkpoint.com": "CheckPoint Harmony",
{"file-rep.iaas.checkpoint.com", 60}, "iaas.checkpoint.com": "CheckPoint Harmony",
{"threatcloud.iaas.checkpoint.com", 60}, "cws.checkpoint.com": "CheckPoint Harmony",
{"dl3.checkpoint.com", 1800}, "rep.checkpoint.com": "CheckPoint Harmony",
{"secureupdates.checkpoint.com", 1800}, "te.checkpoint.com": "CheckPoint Harmony",
{"epm-gw-eu.epmgmt.checkpoint.com", 86400}, "threat-emulation.checkpoint.com": "CheckPoint Harmony",
{"url-rep.iaas.checkpoint.com", 60}, "kav8.checkpoint.com": "CheckPoint Harmony",
{"te.iaas.checkpoint.com", 60}, "secureupdates.checkpoint.com": "CheckPoint Harmony",
{"services.checkpoint.com", 1800}, "sc1.checkpoint.com": "CheckPoint Harmony",
{"europe-west1-datatube-240519.cloudfunctions.net", 300}, "updates.checkpoint.com": "CheckPoint Harmony",
{"cws.checkpoint.com", 1800}, "dl3.checkpoint.com": "CheckPoint Harmony",
{"teadv.checkpoint.com", 1800}, "cloudinfra-gw.portal.checkpoint.com": "CheckPoint Harmony",
{"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net", 300}, "gwevents.checkpoint.com": "CheckPoint Harmony",
{"te.checkpoint.com", 1800}, "teadv.checkpoint.com": "CheckPoint Harmony",
{"hap2.epmgmt.checkpoint.com", 300}, "services.checkpoint.com": "CheckPoint Harmony",
{"hap21.epmgmt.checkpoint.com", 300},
{"hap5.epmgmt.checkpoint.com", 300},
{"hap51.epmgmt.checkpoint.com", 300},
{"hap1.epmgmt.checkpoint.com", 300},
{"hap11.epmgmt.checkpoint.com", 300},
{"hap3.epmgmt.checkpoint.com", 300},
{"hap31.epmgmt.checkpoint.com", 300},
{"hap4.epmgmt.checkpoint.com", 300},
{"hap41.epmgmt.checkpoint.com", 300},
{"ftp-proxy.checkpoint.com", 1800},
{"web-rep.checkpoint.com", 1800},
}
// Cybereason // Cybereason
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html // https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
var domains_cybereason = []Pair{ "cybereason.com": "Cybereason",
{"data-epgw-eu-west-1.cybereason.net", 300}, "probe-dist.cybereason.net": "Cybereason",
{"probe-dist-asia-northeast-1.cybereason.net", 60}, "data-epgw.cybereason.net": "Cybereason",
{"data-epgw-asia-northeast-1.cybereason.net", 300}, "probe-dist-eu-west-1.cybereason.net": "Cybereason",
{"probe-dist.cybereason.net", 300}, "data-epgw-eu-west-1.cybereason.net": "Cybereason",
{"probe-dist-eu-west-1.cybereason.net", 300}, "probe-dist-asia-northeast-1.cybereason.net": "Cybereason",
{"probe-dist-dns.cybereason.net", 3600}, "data-epgw-asia-northeast-1.cybereason.net": "Cybereason",
{"data-epgw.cybereason.net", 300},
{"cybereason.com", 600},
}
// FireEye / Trellix // FireEye / Trellix
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878 // https://kcm.trellix.com/corporate/index?page=content&id=KB90878
var domains_trellix = []Pair{ "api.manage.trellix.com": "Trellix",
{"epo.trellix.com", 300}, "uam.api.trellix.com": "Trellix",
{"s-download.trellix.com", 300}, "cdn-usw001.manage.trellix.com": "Trellix",
{"lc.trellix.com", 300}, "sw-usw001.manage.trellix.com": "Trellix",
{"manage.trellix.com", 60}, "cdn-usw002.manage.trellix.com": "Trellix",
{"cds-usw001.manage.trellix.com", 60}, "sw-usw002.manage.trellix.com": "Trellix",
{"cdn-usw002.manage.trellix.com", 60}, "cdn-usw003.manage.trellix.com": "Trellix",
{"cdn-usw001.manage.trellix.com", 60}, "sw-usw003.manage.trellix.com": "Trellix",
{"cdn-usw003.manage.trellix.com", 60}, "cdn-usw004.manage.trellix.com": "Trellix",
{"auth.ui.trellix.com", 60}, "sw-usw004.manage.trellix.com": "Trellix",
{"uam.api.trellix.com", 60}, "cdn-sgp001.manage.trellix.com": "Trellix",
{"api.manage.trellix.com", 60}, "sw-sgp001.manage.trellix.com": "Trellix",
{"cds-usw002.manage.trellix.com", 60}, "cdn-eu001.manage.trellix.com": "Trellix",
{"trellix.com", 60}, "sw-eu001.manage.trellix.com": "Trellix",
{"dxlweb-usw001.manage.trellix.com", 60}, "cdn-au001.manage.trellix.com": "Trellix",
{"cds-usw003.manage.trellix.com", 60}, "sw-au001.manage.trellix.com": "Trellix",
{"cdn-sgp001.manage.trellix.com", 60}, "cdn-ind001.manage.trellix.com": "Trellix",
{"dxlweb-usw002.manage.trellix.com", 60}, "sw-ind001.manage.trellix.com": "Trellix",
{"cdn-ind001.manage.trellix.com", 60}, "cds-usw001.manage.trellix.com": "Trellix",
{"dxl-usw002.manage.trellix.com", 60}, "cds-usw002.manage.trellix.com": "Trellix",
{"dxl-usw001.manage.trellix.com", 60}, "cds-usw003.manage.trellix.com": "Trellix",
{"dxlweb-usw003.manage.trellix.com", 60}, "cds-usw004.manage.trellix.com": "Trellix",
{"cds-usw004.manage.trellix.com", 60}, "dxl-usw001.manage.trellix.com": "Trellix",
{"cdn-au001.manage.trellix.com", 60}, "dxl-usw002.manage.trellix.com": "Trellix",
{"dxlweb-usw004.manage.trellix.com", 60}, "dxl-usw003.manage.trellix.com": "Trellix",
{"cdn-usw004.manage.trellix.com", 60}, "dxl-usw004.manage.trellix.com": "Trellix",
{"dxl-usw004.manage.trellix.com", 60}, "dxlweb-usw001.manage.trellix.com": "Trellix",
{"dxl-usw003.manage.trellix.com", 60}, "dxlweb-usw002.manage.trellix.com": "Trellix",
{"cdn-eu001.manage.trellix.com", 60}, "dxlweb-usw003.manage.trellix.com": "Trellix",
{"iam.cloud.trellix.com", 10}, "dxlweb-usw004.manage.trellix.com": "Trellix",
{"iam-rs.cloud.trellix.com", 10},
{"gsd.cloud.trellix.com", 10},
{"d2c-us-west-2.manage.trellix.com", 60},
{"d2c-eu-central-1.manage.trellix.com", 60},
{"dxlweb-sgp001.manage.trellix.com", 60},
{"dxl-sgp001.manage.trellix.com", 60},
{"dxl-eu001.manage.trellix.com", 60},
{"dxlweb-eu001.manage.trellix.com", 60},
{"dxl-au001.manage.trellix.com", 60},
{"dxlweb-au001.manage.trellix.com", 60},
{"dxl-ind001.manage.trellix.com", 60},
{"dxlweb-ind001.manage.trellix.com", 60},
{"ui-usw001.manage.trellix.com", 60},
{"ui-usw002.manage.trellix.com", 60},
{"ui-usw003.manage.trellix.com", 60},
{"ui-usw004.manage.trellix.com", 60},
{"ui-sgp001.manage.trellix.com", 60},
{"ui-eu001.manage.trellix.com", 60},
{"ui-au001.manage.trellix.com", 60},
{"ui-ind001.manage.trellix.com", 60},
{"ah-usw001.manage.trellix.com", 60},
{"ah-usw002.manage.trellix.com", 60},
{"ah-usw003.manage.trellix.com", 60},
{"ah-usw004.manage.trellix.com", 60},
{"ah-sgp001.manage.trellix.com", 60},
{"ah-eu001.manage.trellix.com", 60},
{"ah-au001.manage.trellix.com", 60},
{"ah-ind001.manage.trellix.com", 60},
}
// Cortex XDR / Palo Alto Networks // Cortex XDR / Palo Alto Networks
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access // https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
var domains_paloalto = []Pair{ "paloaltonetworks.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-au.storage.googleapis.com", 300}, "lrc-us.paloaltonetworks.com": "Palo Alto Networks",
{"lrc-eu.paloaltonetworks.com", 14400}, "lrc-eu.paloaltonetworks.com": "Palo Alto Networks",
{"global-content-profiles-policy.storage.googleapis.com", 300}, "lrc-ca.paloaltonetworks.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-uk.storage.googleapis.com", 300}, "lrc-uk.paloaltonetworks.com": "Palo Alto Networks",
{"lrc-ch.paloaltonetworks.com", 14400}, "lrc-jp.paloaltonetworks.com": "Palo Alto Networks",
{"lrc-jp.paloaltonetworks.com", 14400}, "lrc-sg.paloaltonetworks.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-qt.storage.googleapis.com", 300}, "lrc-au.paloaltonetworks.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-pl.storage.googleapis.com", 300}, "lrc-de.paloaltonetworks.com": "Palo Alto Networks",
{"pendo-static-5664029141630976.storage.googleapis.com", 300}, "lrc-in.paloaltonetworks.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-sg.storage.googleapis.com", 300}, "lrc-ch.paloaltonetworks.com": "Palo Alto Networks",
{"lrc-uk.paloaltonetworks.com", 14400}, "lrc-pl.paloaltonetworks.com": "Palo Alto Networks",
{"lrc-us.paloaltonetworks.com", 14400}, "lrc-tw.paloaltonetworks.com": "Palo Alto Networks",
{"lrc-tw.paloaltonetworks.com", 1800}, "lrc-qt.paloaltonetworks.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-eu.storage.googleapis.com", 300}, "lrc-fa.paloaltonetworks.com": "Palo Alto Networks",
{"lrc-ca.paloaltonetworks.com", 14400}, "panw-xdr-evr-prod-us.storage.googleapis.com": "Palo Alto Networks",
{"paloaltonetworks.com", 30}, "panw-xdr-evr-prod-eu.storage.googleapis.com": "Palo Alto Networks",
// {"lrc-fa.paloaltonetworks.com", 14400}, "panw-xdr-evr-prod-ca.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-in.storage.googleapis.com", 300}, "panw-xdr-evr-prod-uk.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-fa.storage.googleapis.com", 300}, "panw-xdr-evr-prod-jp.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-ca.storage.googleapis.com", 300}, "panw-xdr-evr-prod-sg.storage.googleapis.com": "Palo Alto Networks",
{"lrc-pl.paloaltonetworks.com", 14400}, "panw-xdr-evr-prod-au.storage.googleapis.com": "Palo Alto Networks",
{"lrc-qt.paloaltonetworks.com", 300}, "panw-xdr-evr-prod-de.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-us.storage.googleapis.com", 300}, "panw-xdr-evr-prod-in.storage.googleapis.com": "Palo Alto Networks",
{"lrc-de.paloaltonetworks.com", 300}, "panw-xdr-evr-prod-ch.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-installers-prod-us.storage.googleapis.com", 300}, "panw-xdr-evr-prod-pl.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-ch.storage.googleapis.com", 300}, "panw-xdr-evr-prod-tw.storage.googleapis.com": "Palo Alto Networks",
{"lrc-in.paloaltonetworks.com", 14400}, "panw-xdr-evr-prod-qt.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-de.storage.googleapis.com", 300}, "panw-xdr-evr-prod-fa.storage.googleapis.com": "Palo Alto Networks",
{"lrc-au.paloaltonetworks.com", 14400}, "panw-xdr-installers-prod-us.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-tw.storage.googleapis.com", 300}, "panw-xdr-payloads-prod-us.storage.googleapis.com": "Palo Alto Networks",
{"login.paloaltonetworks.com", 14400}, "global-content-profiles-policy.storage.googleapis.com": "Palo Alto Networks",
{"lrc-sg.paloaltonetworks.com", 14400}, "login.paloaltonetworks.com": "Palo Alto Networks",
{"panw-xdr-evr-prod-jp.storage.googleapis.com", 300}, "pendo-static-5664029141630976.storage.googleapis.com": "Palo Alto Networks",
{"panw-xdr-payloads-prod-us.storage.googleapis.com", 300},
{"distributions.traps.paloaltonetworks.com", 300},
{"distributions-prod-fed.traps.paloaltonetworks.com", 300},
{"cortex-gateway.paloaltonetworks.com", 30},
{"gw-app-proxy.us.paloaltonetworks.com", 300},
{"xdr-ova-installers-prod-us.storage.googleapis.com", 300},
{"identity.paloaltonetworks.com", 300},
{"identity.gslb.paloaltonetworks.com", 5},
{"identity.gcp.gslb.paloaltonetworks.com", 5},
{"lrc-fed.paloaltonetworks.com", 14400},
{"panw-xdr-installers-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-fr.storage.googleapis.com", 300},
{"global-content-profiles-policy-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-fr.storage.googleapis.com", 300},
{"app-proxy.federal.paloaltonetworks.com", 300},
}
// Singularity / SentinelOne // Singularity / SentinelOne
var domains_sentinelone = []Pair{ "sentinelone.com": "SentinelOne",
{"eu1-oauth.mobile.sentinelone.net", 300}, "xdr.intus1.sentinelone.net": "SentinelOne",
{"eu1-qi.mobile.sentinelone.net", 300}, "console.mobile.sentinelone.net": "SentinelOne",
{"console.mobile.sentinelone.net", 300}, "content.mobile.sentinelone.net": "SentinelOne",
{"sentinelone.com", 300}, "device-api.mobile.sentinelone.net": "SentinelOne",
{"eu1-console.mobile.sentinelone.net", 300}, "eu1-acceptor.mobile.sentinelone.net": "SentinelOne",
{"eu1-content.mobile.sentinelone.net", 300}, "eu1-console.mobile.sentinelone.net": "SentinelOne",
{"panel.mobile.sentinelone.net", 300}, "eu1-content.mobile.sentinelone.net": "SentinelOne",
{"oauth.mobile.sentinelone.net", 300}, "eu1-device-api.mobile.sentinelone.net": "SentinelOne",
{"xdr.intus1.sentinelone.net", 60}, "eu1-oauth.mobile.sentinelone.net": "SentinelOne",
{"eu1-device-api.mobile.sentinelone.net", 300}, "eu1-panel.mobile.sentinelone.net": "SentinelOne",
{"eu1-vpc.mobile.sentinelone.net", 300}, "eu1-qi.mobile.sentinelone.net": "SentinelOne",
{"eu1-acceptor.mobile.sentinelone.net", 300}, "eu1-token.mobile.sentinelone.net": "SentinelOne",
{"login.sentinelone.net", 300}, "eu1-vpc.mobile.sentinelone.net": "SentinelOne",
{"device-api.mobile.sentinelone.net", 300}, "ut.sentinelone.net": "SentinelOne",
{"eu1-panel.mobile.sentinelone.net", 300}, "oauth.mobile.sentinelone.net": "SentinelOne",
{"eu1-token.mobile.sentinelone.net", 300}, "panel.mobile.sentinelone.net": "SentinelOne",
{"content.mobile.sentinelone.net", 300},
{"ut.sentinelone.net", 300},
}
// Symantec / Broadcom // Symantec / Broadcom
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/urls-to-whitelist-for-v129099891-d4155e9710.html // https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html
var domains_symantec = []Pair{ "symantec.com": "Symantec",
{"liveupdate.symantec.com", 3600}, "remotetunnel1.edrc.symantec.com": "Symantec",
{"liveupdate.symantecliveupdate.com", 600}, "remotetunnel2.edrc.symantec.com": "Symantec",
{"shasta-rrs.symantec.com", 1800}, "remotetunnel3.edrc.symantec.com": "Symantec",
{"ent-shasta-rrs.symantec.com", 1800}, "remotetunnel4.edrc.symantec.com": "Symantec",
{"ent-shasta-mr-clean.symantec.com", 1800}, "remotetunnel5.edrc.symantec.com": "Symantec",
{"symantec.com", 600}, "api-gateway.symantec.com": "Symantec",
{"sp.cwfservice.net", 600}, "liveupdate.symantec.com": "Symantec",
{"us.spoc.securitycloud.symantec.com", 600}, "ratings-wrs.symantec.com": "Symantec",
{"eu.spoc.securitycloud.symantec.com", 600}, "stnd-avpg.crsi.symantec.com": "Symantec",
{"in.spoc.securitycloud.symantec.com", 3600}, "stnd-ipsg.crsi.symantec.com": "Symantec",
{"telemetry.broadcom.com", 3600}, "central.b6.crsi.symantec.com": "Symantec",
{"tses.broadcom.com", 30}, "bash-avpg.crsi.symantec.com": "Symantec",
{"central.b6.crsi.symantec.com", 1800}, "swupdate.brightmail.com": "Symantec",
{"central.ss.crsi.symantec.com", 1800}, "shasta-rrs.symantec.com": "Symantec",
{"central.nrsi.symantec.com", 1800}, "shasta-mrs.symantec.com": "Symantec",
{"central.avsi.symantec.com", 1800}, "datafeedapi.symanteccloud.com": "Symantec",
{"central.crsi.symantec.com", 1800}, "telemetry.broadcom.com": "Symantec",
{"shasta-mrs.symantec.com", 1800}, "sso1.edrc.symantec.com": "Symantec",
{"shasta-clt.symantec.com", 1800},
{"stnd-avpg.crsi.symantec.com", 1800},
{"avs-avpg.crsi.symantec.com", 1800},
{"stnd-ipsg.crsi.symantec.com ", 1800},
{"bash-avpg.crsi.symantec.com", 1800},
{"tus1gwynwapex01.symantec.com", 3600},
{"pod.threatpulse.com", 120},
{"faults.qalabs.symantec.com", 1800},
{"faults.symantec.com", 1800},
{"linux-repo-us.securityalliance.cloud", 86400},
{"usea1.r3.securitycloud.symantec.com", 3600},
{"euws1.r3.securitycloud.symantec.com", 3600},
{"inso1.r3.securitycloud.symantec.com", 3600},
{"datafeedapi.symanteccloud.com", 300},
{"us.spoc.securitycloud.symantec.com", 600},
{"eu.spoc.securitycloud.symantec.com ", 600},
{"in.spoc.securitycloud.symantec.com", 3600},
{"uploads.sep.securitycloud.symantec.com", 3600},
{"uploads.sep.eu.securitycloud.symantec.com ", 3600},
{"uploads.sep.in.securitycloud.symantec.com", 3600},
{"ws.securitycloud.symantec.com", 600},
{"bds.securitycloud.symantec.com", 600},
{"ws.eu.securitycloud.symantec.com", 3600},
{"bds.eu.securitycloud.symantec.com", 3600},
{"ws.in.securitycloud.symantec.com ", 3600},
{"bds.in.securitycloud.symantec.com", 3600},
{"cdn.sepmobile.securitycloud.symantec.com", 300},
{"mitm.sepmobile.securitycloud.symantec.com", 300},
{"services-prod.symantec.com", 600},
{"sep.securitycloud.symantec.com", 3600},
{"sep.eu.securitycloud.symantec.com", 3600},
{"sep.in.securitycloud.symantec.com", 3600},
{"avagoext.okta.com", 300},
{"accounts.saas.broadcomcloud.com", 3600},
{"api.sep.securitycloud.symantec.com", 86400},
{"api.sep.eu.securitycloud.symantec.com", 3600},
{"api.sep.in.securitycloud.symantec.com", 3600},
{"knowledge.broadcom.com", 3600},
{"support.broadcom.com", 300},
{"casupport.broadcom.com", 300},
{"login.broadcom.com", 3600},
{"ced.broadcom.com", 3600},
{"ratings-wrs.symantec.com", 3600},
{"api-gateway.symantec.com", 3600},
{"swupdate.brightmail.com", 3600},
{"licensing.dmas.symantec.com", 3600},
{"api.us.dmas.symantec.com", 300},
{"api.eu.dmas.symantec.com", 300},
}
// Tanium // Tanium
var domains_tanium = []Pair{ "tanium.com": "Tanium",
{"content.tanium.com", 300}, "shared.prd-int-manage.mdm.cloud.tanium.com": "Tanium",
{"docs-es.tanium.com", 300}, "shared.prd-int.mdm.cloud.tanium.com": "Tanium",
{"docs-fr.tanium.com", 300}, "shared.prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
{"tanium.com", 300}, "shared.prd-us-1.mdm.cloud.tanium.com": "Tanium",
{"go2.tanium.com", 300}, "prd-int-manage.mdm.cloud.tanium.com": "Tanium",
{"learn.tanium.com", 300}, "prd-int.mdm.cloud.tanium.com": "Tanium",
{"som.cloud.tanium.com", 60}, "prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
{"download.tanium.com", 300}, "prd-us-1.mdm.cloud.tanium.com": "Tanium",
{"fnf-api.cloud.tanium.com", 60}, "prd.mdm.cloud.tanium.com": "Tanium",
{"community.tanium.com", 300}, "jp.tanium.com": "Tanium",
{"3.distribute.cloud.tanium.com", 300}, "docs-es.tanium.com": "Tanium",
{"content.tanium.com", 300}, "docs-fr.tanium.com": "Tanium",
{"help.tanium.com", 300}, "docs-ko.tanium.com": "Tanium",
{"docs.tanium.com", 300},
{"moveit.tanium.com", 300},
{"kb.tanium.com", 300},
}
// Aurora // Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html // https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
var domains_aurora = []Pair{ "update-102.nextron-systems.com": "Nextron Aurora",
{"update-aurora.nextron-systems.com", 60}, "update-201.nextron-systems.com": "Nextron Aurora",
{"update-102.nextron-systems.com", 60}, "update-202.nextron-systems.com": "Nextron Aurora",
{"update-202.nextron-systems.com", 60}, "update-aurora.nextron-systems.com": "Nextron Aurora",
{"update-201.nextron-systems.com", 60}, "update-lite.nextron-systems.com": "Nextron Aurora",
{"update-lite.nextron-systems.com", 60},
}
// Trend Micro // Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002 // https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/ // https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
var domains_trendmicro = []Pair{ "api.eu.nacloud.trendmicro.com": "Trend Micro",
{"xdr.trendmicro.co.jp", 60}, "api.jp.nacloud.trendmicro.com": "Trend Micro",
{"files.trendmicro.com", 1800}, "api.sg.nacloud.trendmicro.com": "Trend Micro",
{"api.nacloud.trendmicro.com", 60}, "api.us.nacloud.trendmicro.com": "Trend Micro",
{"cloudone.trendmicro.com", 60}, "docs.trendmicro.com": "Trend Micro",
{"ddd53-p.activeupdate.trendmicro.com", 1800}, "licenseupdate.trendmicro.com": "Trend Micro",
{"trenddefense.com", 300}, "api.nacloud.trendmicro.com": "Trend Micro",
{"threatconnect.trendmicro.com", 1800}, "trendmicro.com": "Trend Micro",
{"api.sg.nacloud.trendmicro.com", 60}, "files.trendmicro.com": "Trend Micro",
{"trendmicro.com", 1800}, "xdr.trendmicro.com": "Trend Micro",
{"api.jp.nacloud.trendmicro.com", 60}, "xdr.trendmicro.co.jp": "Trend Micro",
{"api.eu.nacloud.trendmicro.com", 60}, "trenddefense.com": "Trend Micro",
{"docs.trendmicro.com", 1800}, "ddd53-p.activeupdate.trendmicro.com": "Trend Micro",
{"api.us.nacloud.trendmicro.com", 60}, "ddd53-threatconnect.trendmicro.com": "Trend Micro",
{"ddd53-threatconnect.trendmicro.com", 1800}, "threatconnect.trendmicro.com": "Trend Micro",
{"licenseupdate.trendmicro.com", 1800}, "cloudone.trendmicro.com": "Trend Micro",
{"xdr.trendmicro.com", 60},
}
// Rapid7 InsightIDR
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
var domains_rapid7 = []Pair{
{"data.insight.rapid7.com", 60},
{"us2.data.insight.rapid7.com", 30},
{"us3.data.insight.rapid7.com", 30},
{"eu.data.insight.rapid7.com", 30},
{"ca.data.insight.rapid7.com", 30},
{"au.data.insight.rapid7.com", 30},
{"ap.data.insight.rapid7.com", 30},
{"endpoint.ingress.rapid7.com", 300},
{"us2.endpoint.ingress.rapid7.com", 300},
{"us3.endpoint.ingress.rapid7.com", 300},
{"eu.endpoint.ingress.rapid7.com", 300},
{"ca.endpoint.ingress.rapid7.com", 300},
{"au.endpoint.ingress.rapid7.com", 300},
{"ap.endpoint.ingress.rapid7.com", 300},
{"us.storage.endpoint.ingress.rapid7.com", 86400},
{"us.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us2.storage.endpoint.ingress.rapid7.com", 86400},
{"us2.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us3.storage.endpoint.ingress.rapid7.com", 86400},
{"us3.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"eu.storage.endpoint.ingress.rapid7.com", 86400}, // not certain
{"eu.bootstrap.endpoint.ingress.rapid7.com", 86400}, // not certain
{"ca.storage.endpoint.ingress.rapid7.com", 86400},
{"ca.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"au.storage.endpoint.ingress.rapid7.com", 86400},
{"au.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"ap.storage.endpoint.ingress.rapid7.com", 86400},
{"ap.bootstrap.endpoint.ingress.rapid7.com", 86400},
} }

14
go.mod
View File

@ -1,13 +1,11 @@
module patdown module patdown
go 1.22.6 go 1.21.0
require github.com/miekg/dns v1.1.62
require ( require (
golang.org/x/mod v0.18.0 // indirect github.com/miekg/dns v1.1.57 // indirect
golang.org/x/net v0.27.0 // indirect golang.org/x/mod v0.12.0 // indirect
golang.org/x/sync v0.7.0 // indirect golang.org/x/net v0.17.0 // indirect
golang.org/x/sys v0.22.0 // indirect golang.org/x/sys v0.13.0 // indirect
golang.org/x/tools v0.22.0 // indirect golang.org/x/tools v0.13.0 // indirect
) )

22
go.sum
View File

@ -1,12 +1,10 @@
github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=