delorean/patdown
3
Fork 0
Code Issues Pull Requests Packages Projects Releases 3 Wiki Activity

Compare commits

base: delorean:main
Branches Tags
delorean:main
delorean:v2.0
delorean:v1.1
delorean:v1.0
..
compare: delorean:v1.0
Branches Tags
delorean:main
delorean:v2.0
delorean:v1.1
delorean:v1.0

No commits in common. "main" and "v1.0" have entirely different histories.
main ... v1.0

10 changed files with 510 additions and 909 deletions
Show Stats Expand all files Collapse all files

59
README.md
View File

@ -1,63 +1,6 @@
# patdown # patdown
> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
> Remotely predicts and identifies the presence of EDR/XDR solutions on networks
<p align="center"> <p align="center">
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text"> <img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
</p> </p>
## Abstract
patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
## Installation
Retrieve a binary corresponding to your architecture from **Releases**
*or*
`git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
## Usage
```
d | target fqdn (not as reliable, prone to false positives)
n | nameserver to query (can be specified multiple times)
v | enable verbosity [false]
t | threads [5]
s | delay between requests in milliseconds, per thread [250]
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
```
## Currently Identified Vendors/Solutions:
- [x] **CrowdStrike** Falcon
- [x] **Microsoft** Defender for Endpoint
- [x] **VMWare** Carbon Black
- [x] **Check Point** Harmony
- [x] **Cybereason** EDR
- [x] **Trellix** EDR
- [x] **Palo Alto Networks** Cortex XDR
- [x] **SentinelOne** Singularity
- [x] **Symantec** Endpoint Security
- [x] **Tanium** EDR
- [x] **Nextron** Aurora
- [x] **Trend Micro** Endpoint Sensor
- [x] **Rapid7** InsightIDR
- [ ] **ESET** Inspect
- [ ] **Harfanglab** EDR
- [ ] **Limacharlie** EDR
- [ ] **Elastic** Security
- [ ] **Qualys** EDR
- [ ] **Uptycs** XDR
- [ ] **WatchGuard** EDR

147
cmd/patdown/main.go
View File

@ -1,36 +1,151 @@
package main package main
import ( import (
"flag"
"fmt" "fmt"
"time"
"patdown/common" "patdown/common"
"github.com/miekg/dns"
) )
type multiflag []string
type Pair struct {
Nameserver string
Domain string
}
func (m *multiflag) String() string {
return "irc.supernets.org #superbowl"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
var (
domain = flag.String("t", "", "")
workers = flag.Int("c", 100, "")
delay = flag.Int("s", 100, "")
nameserver multiflag
)
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
return msg
}
func query(q <-chan Pair, tracker chan<- interface{}) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
common.Error(err.Error())
continue
}
if len(in.Answer) > 0 {
fmt.Printf("[%s] associated domain %s found on %s\n", common.Vendors[common.Domains[pair.Domain]], pair.Domain, pair.Nameserver)
}
time.Sleep(time.Duration(*delay) * time.Millisecond)
}
tracker <- 1337
}
func testns(ns string) error {
msg := message("supernets.org", dns.TypeA, false)
_, err := dns.Exchange(msg, ns+":53")
if err != nil {
return err
}
return nil
}
func testreq() bool {
msg := message("cloudflare.com", dns.TypeA, false)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func main() { func main() {
common.LoadArgs() flag.Var(&nameserver, "n", "nameserver to query")
var servers []string flag.Usage = common.Usage
flag.Parse()
var nameservers []string
pairs := make(chan Pair)
tracker := make(chan interface{})
common.Banner() common.Banner()
autodetect := common.Params.Domain != "" if *domain != "" {
if autodetect { // query domain for nameservers
if servers = common.PullNS(common.Params.Domain); len(servers) == 0 { nsmsg := message(*domain, dns.TypeNS, true)
common.Fatal("no nameservers found for " + common.Params.Domain) in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
panic(err)
}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
} else if len(nameserver) > 0 {
for _, ns := range nameserver {
nameservers = append(nameservers, ns)
} }
common.Info(fmt.Sprintf("retrieved %s%d%s nameservers for %s", common.ColorGreen, len(servers), common.ColorReset, common.Params.Domain))
} else if len(common.Params.Nservers) > 0 {
servers = common.Params.Nservers
} else { } else {
common.Fatal("provide a domain or nameservers to target") // print usage
common.Usage()
return
} }
if !common.NeutralReq() { if !testreq() {
common.Fatal("neutral dns check failed, are you on a dirty box or vpn?") common.Fatal("non-recursive queries are being refused, are you on a very dirty box or VPN?")
} }
valid := common.ParseNS(servers) common.Info("aggregating nameservers...")
if len(valid) == 0 {
common.Fatal("no servers responded to trial probes, they're either down or they don't like your IP") for i, ns := range nameservers {
if err := testns(ns); err != nil {
common.Error("nameserver " + ns + " is not responding")
nameservers = append(nameservers[:i], nameservers[i+1:]...)
}
} }
common.Takeoff(valid) common.Info(fmt.Sprintf("snooping caches on %d resolvers...", len(nameservers)))
go func() {
for i := 0; i < *workers; i++ {
query(pairs, tracker)
}
}()
for _, ns := range nameservers {
for k, _ := range common.Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
for x := 0; x < *workers; x++ {
<-tracker
}
} }

39
common/args.go
View File

@ -1,39 +0,0 @@
package common
import "flag"
type multiflag []string
type Config struct {
Domain string
Threads int
Delay int
Nservers []string
Verbose bool
}
var (
domain = flag.String("d", "", "")
workers = flag.Int("t", 5, "")
delay = flag.Int("s", 250, "")
verbose = flag.Bool("v", false, "")
nsarg multiflag
Params Config
)
func (m *multiflag) String() string {
return "front page maximum wage"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
func LoadArgs() {
flag.Var(&nsarg, "n", "")
flag.Usage = Usage
flag.Parse()
Params = Config{Domain: *domain, Threads: *workers, Delay: *delay, Nservers: nsarg, Verbose: *verbose}
}

87
common/console.go Normal file
View File

@ -0,0 +1,87 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
)
func Banner() {
fmt.Printf(`%s
.------..------..------..------..------..------..------.
|%s%sP%s%s.--. ||%s%sA%s%s.--. ||%s%sT%s%s.--. ||%s%sD%s%s.--. ||%s%sO%s%s.--. ||%s%sW%s%s.--. ||%s%sN%s%s.--. |
| :/\: || (\/) || :/\: || :/\: || :/\: || :/\: || :(): |
| (__) || :\/: || (__) || (__) || :\/: || :\/: || ()() |
| '--'P|| '--'A|| '--'T|| '--'D|| '--'O|| '--'W|| '--'N|
'------''------''------''------''------''------''------'
%s%s sincerely,
~ delorean%s
`, ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset)
}
func Usage() {
fmt.Fprintf(os.Stderr, `patdown usage:
(%s-t%s) - target domain
(%s-n%s) - specific nameserver to snoop, can be multiple
(%s-c%s) - concurrent threads [%s100%s]
(%s-s%s) - delay between queries, per thread, in milliseconds [%s100%s]
%se.g.%s
patdown -t supernets.org
patdown -n ns1.supernets.org -n ns2.supernets.org
patdown -t supernets.org -c 50 -s 500
`, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset)
}
var Vendors = map[string]string{
"Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m",
"VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m",
"CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m",
"CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m",
"Cybereason": "\033[93mCybereason\033[0m",
"Trellix": "\033[32mTrellix\033[0m",
"Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m",
"SentinelOne": "\033[35mSentinelOne\033[0m",
"Symantec": "\033[93mSymantec\033[0m",
"Tanium": "\033[31mTanium\033[0m",
"Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m",
"Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m",
}
func Success(msg string) {
fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg)
}
func Warning(msg string) {
fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

96
common/exec.go
View File

@ -1,96 +0,0 @@
package common
import (
"fmt"
"os"
)
func scan(nameservers []Nameserver, threads, delay int, recursive, single bool) {
queries := make(chan Query)
tab := make(chan interface{})
if !recursive {
Info(fmt.Sprintf("performing non-recursive lookups against %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQuery(queries, tab, delay)
}
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
Warn("recursive snooping can only be done once, as it populates the nameserver's cache")
Info(fmt.Sprintf("recursively snooping on %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQueryRA(queries, tab, delay)
}
if !single {
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: nameservers[0].Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
}
close(queries)
}
func Takeoff(nameservers []Nameserver) {
var nonrns, rns []Nameserver
for _, ns := range nameservers {
if ns.Recursive {
rns = append(rns, ns)
}
if ns.NonRA {
nonrns = append(nonrns, ns)
}
}
if len(nonrns) == 0 && len(rns) == 0 {
Fatal("no valid nameservers available for probing, they may be down or they don't like your IP")
}
recursive := false
for {
if !recursive {
if len(nonrns) > 0 {
scan(nonrns, Params.Threads, Params.Delay, false, false)
} else {
for {
Info(fmt.Sprintf("non-recursive lookups not viable on these servers, perform recursive snooping? %s(less reliable, can only be done once per server)%s",
ColorRed, ColorReset))
fmt.Printf("%s `--(y/n):%s ", ColorCyan, ColorReset)
var input string
fmt.Scanln(&input)
if input == "y" {
recursive = true
break
}
if input == "n" {
os.Exit(0)
}
}
continue
}
} else {
autodetected := Params.Domain != "" && len(Params.Nservers) == 0
scan(rns, Params.Threads, Params.Delay, true, autodetected)
}
}
}

69
common/io.go
View File

@ -1,69 +0,0 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
ColorWhite = "\033[97m"
)
func Usage() {
Banner()
fmt.Printf(`
usage:
%s!%s d | target fqdn (not recommended)
%s!%s n | nameserver to query (can be specified multiple times)
v | enable verbosity %s[false]%s
t | threads %s[5]%s
s | delay between requests in milliseconds, per thread %s[250]%s
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
`, ColorRed, ColorReset, ColorRed, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset)
}
func Banner() {
fmt.Fprintf(os.Stderr, `
_______
_/_ / ---' ____)____
_ __. / __/ __ , , , ___ ______)
/_)_(_/|_<__(_/_(_)(_(_/_/ <_ _______)
/ _______)
' ---.__________)
`)
}
func Success(msg string) {
fmt.Printf("%s[+]%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf("%s[i]%s %s\n", ColorCyan, ColorReset, msg)
}
func Warn(msg string) {
fmt.Printf("%s[!]%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf("%s[x]%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf("%s[f]%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

140
common/net.go
View File

@ -1,140 +0,0 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Query struct {
Nameserver string
Vendor string
DomainPair Pair
}
type Nameserver struct {
Nameserver string
NonRA bool
Recursive bool
}
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{
Name: dns.Fqdn(domain),
Qtype: reqtype,
Qclass: dns.ClassINET,
}
return msg
}
func ParseNS(nameservers []string) []Nameserver {
var valid []Nameserver
msg := message("cloudflare.com", dns.TypeA, false)
for _, ns := range nameservers {
nonra, ra := false, false
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error(fmt.Sprintf("nameserver %s%s%s is not responding to the trial query", ColorGray, ns[0:len(ns)-1], ColorReset))
continue
}
if in.Rcode == dns.RcodeRefused {
Warn(fmt.Sprintf("nameserver %s%s%s refused the trial non-recursive query", ColorGray, ns[0:len(ns)-1], ColorReset))
} else {
Success(fmt.Sprintf("nameserver %s%s%s allows non-recursive queries", ColorGray, ns[0:len(ns)-1], ColorReset))
nonra = true
}
if in.RecursionAvailable {
Success(fmt.Sprintf("nameserver %s%s%s allows recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
ra = true
} else {
Warn(fmt.Sprintf("nameserver %s%s%s does not allow recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
}
valid = append(valid, Nameserver{Nameserver: ns, NonRA: nonra, Recursive: ra})
}
return valid
}
func NeutralReq() bool {
msg := message("supernets.org", dns.TypeA, true)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) []string {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
nameservers := []string{}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
return nameservers
}
func RunQuery(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
msg := message(qdata.DomainPair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset))
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func RunQueryRA(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("recursively querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
for x := 0; x < 2; x++ {
msg := message(qdata.DomainPair.Domain, dns.TypeA, true)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error("hiccup on " + qdata.Nameserver[0:len(qdata.Nameserver)-1] + " while querying " + qdata.DomainPair.Domain)
time.Sleep(2 * time.Second)
continue
}
if len(in.Answer) > 0 {
if in.Answer[0].Header().Ttl <= qdata.DomainPair.TTL-4 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s with decremented TTL of %s%d%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset, ColorGreen, in.Answer[0].Header().Ttl, ColorReset))
}
}
break
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}

742
common/ref.go
View File

@ -1,483 +1,287 @@
package common package common
import "fmt" var Domains = map[string]string{
// Microsoft Defender for Endpoint
//https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
"security.microsoft.com": "Microsoft Defender for Endpoint",
"download.microsoft.com": "Microsoft Defender for Endpoint",
"ussus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus3eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus4eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus3westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus4westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"usseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"usseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"settings-win.data.microsoft.com": "Microsoft Defender for Endpoint",
"vortex-win.data.microsoft.com": "Microsoft Defender for Endpoint",
"go.microsoft.com": "Microsoft Defender for Endpoint",
"ctldl.windowsupdate.com": "Microsoft Defender for Endpoint",
"windowsupdate.com": "Microsoft Defender for Endpoint",
type Pair struct { // VMWare Carbon Black
Domain string // https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
TTL uint32 "carbonblack.com": "VMWare Carbon Black",
} "carbonblack.io": "VMWare Carbon Black",
"defense-eap01.conferdeploy.net": "VMWare Carbon Black",
"dashboard.confer.net": "VMWare Carbon Black",
"defense.conferdeploy.net": "VMWare Carbon Black",
"defense-prod05.conferdeploy.net": "VMWare Carbon Black",
"defense-eu.conferdeploy.net": "VMWare Carbon Black",
"defense-prodnrt.conferdeploy.net": "VMWare Carbon Black",
"defense-prodsyd.conferdeploy.net": "VMWare Carbon Black",
"ew2.carbonblackcloud.vmware.com": "VMWare Carbon Black",
"gprd1usgw1.carbonblack-us-gov.vmware.com": "VMWare Carbon Black",
"updates.cdc.carbonblack.io": "VMWare Carbon Black",
"updates2.cdc.carbonblack.io": "VMWare Carbon Black",
"carbonblack.vmware.com": "VMWare Carbon Black",
"console.cloud-us-gov.vmware.com": "VMWare Carbon Black",
"console.cloud.vmware.com": "VMWare Carbon Black",
var Vendors = map[string][]Pair{ // CrowdStrike Falcon
fmt.Sprintf("%sMicrosoft Defender for Endpoint%s", ColorCyan, ColorReset): domains_microsoft, // https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
fmt.Sprintf("%sVMWare%s Carbon Black%s", ColorCyan, ColorGray, ColorReset): domains_carbonblack, "crowdstrike.com": "CrowdStrike Falcon",
fmt.Sprintf("%sCrowdStrike Falcon%s", ColorRed, ColorReset): domains_crowdstrike, "ts01-b.cloudsink.net": "CrowdStrike Falcon",
fmt.Sprintf("%sCheck Point Harmony%s", ColorPurple, ColorReset): domains_checkpoint, "lfodown01-b.cloudsink.net": "CrowdStrike Falcon",
fmt.Sprintf("%sCybereason%s", ColorYellow, ColorReset): domains_cybereason, "lfoup01-b.cloudsink.net": "CrowdStrike Falcon",
fmt.Sprintf("%sTrellix%s", ColorCyan, ColorReset): domains_trellix, "falcon.crowdstrike.com": "CrowdStrike Falcon",
fmt.Sprintf("%sCortex XDR%s", ColorOrange, ColorReset): domains_paloalto, "assets.falcon.crowdstrike.com": "CrowdStrike Falcon",
fmt.Sprintf("%sSentinelOne Singularity%s", ColorPurple, ColorReset): domains_sentinelone, "assets-public.falcon.crowdstrike.com": "CrowdStrike Falcon",
fmt.Sprintf("%sSymantec Endpoint Security%s", ColorYellow, ColorReset): domains_symantec, "api.crowdstrike.com": "CrowdStrike Falcon",
fmt.Sprintf("%sTanium%s", ColorRed, ColorReset): domains_tanium, "firehose.crowdstrike.com": "CrowdStrike Falcon",
fmt.Sprintf("%sNextron%s Aurora%s", ColorCyan, ColorGreen, ColorReset): domains_aurora, "ts01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
fmt.Sprintf("%sTrend Micro Endpoint Sensor%s", ColorRed, ColorReset): domains_trendmicro, "lfodown01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
fmt.Sprintf("%sRapid7%s InsightIDR", ColorOrange, ColorReset): domains_rapid7, "lfoup01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
} "falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
"assets.falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
"assets-public.us-2.falcon.crowdstrike.com": "CrowdStrike Falcon",
"api.us-2.crowdstrike.com": "CrowdStrike Falcon",
"firehose.us-2.crowdstrike.com": "CrowdStrike Falcon",
"ts01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"lfodown01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"falcon.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"api.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
"firehose.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"ts01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
"lfodown01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
"api.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
"firehose.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
"ts01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
"lfodown01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
"lfoup01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
"assets.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
"assets-public.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
"api.eu-1.crowdstrike.com": "CrowdStrike Falcon",
"firehose.eu-1.crowdstrike.com": "CrowdStrike Falcon",
// Microsoft Defender for Endpoint // Harmony / CheckPoint
// https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls // https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590
var domains_microsoft = []Pair{ "checkpoint.com": "CheckPoint Harmony",
{"download.microsoft.com", 3600}, // not certain "us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": "CheckPoint Harmony",
{"go.microsoft.com", 3600}, // not certain "europe-west1-datatube-240519.cloudfunctions.net": "CheckPoint Harmony",
{"security.microsoft.com", 3600}, "datatube-prod.azurewebsites.net": "CheckPoint Harmony",
{"settings-win.data.microsoft.com", 3600}, // not certain "epmgmt.checkpoint.com": "CheckPoint Harmony",
{"windowsupdate.com", 300}, "endpoint-cdn.epmgmt.checkpoint.com": "CheckPoint Harmony",
{"ctldl.windowsupdate.com", 3600}, // not certain "ep-repo.epmgmt.checkpoint.com": "CheckPoint Harmony",
{"wdcp.microsoft.com", 3600}, "epm-gw-eu.epmgmt.checkpoint.com": "CheckPoint Harmony",
{"wd.microsoft.com", 300}, "file-rep.iaas.checkpoint.com": "CheckPoint Harmony",
{"wdcpalt.microsoft.com", 3600}, "url-rep.iaas.checkpoint.com": "CheckPoint Harmony",
{"checkappexec.microsoft.com", 3600}, // not certain "threatcloud.iaas.checkpoint.com": "CheckPoint Harmony",
{"smartscreen-prod.microsoft.com", 3600}, "te.iaas.checkpoint.com": "CheckPoint Harmony",
{"vortex-win.data.microsoft.com", 120}, "sba-data-collection.iaas.checkpoint.com": "CheckPoint Harmony",
{"update.microsoft.com", 3600}, // not certain "iaas.checkpoint.com": "CheckPoint Harmony",
{"download.windowsupdate.com", 3600}, // not certain "cws.checkpoint.com": "CheckPoint Harmony",
{"definitionupdates.microsoft.com", 3600}, "rep.checkpoint.com": "CheckPoint Harmony",
// {"delivery.mp.microsoft.com", 0}, "te.checkpoint.com": "CheckPoint Harmony",
// {"fe3cr.delivery.mp.microsoft.com", 0}, "threat-emulation.checkpoint.com": "CheckPoint Harmony",
{"ussus2westprod.blob.core.windows.net", 60}, "kav8.checkpoint.com": "CheckPoint Harmony",
{"ussus1westprod.blob.core.windows.net", 60}, "secureupdates.checkpoint.com": "CheckPoint Harmony",
{"wsus2westprod.blob.core.windows.net", 60}, "sc1.checkpoint.com": "CheckPoint Harmony",
{"wseu1northprod.blob.core.windows.net", 60}, "updates.checkpoint.com": "CheckPoint Harmony",
{"wsus2eastprod.blob.core.windows.net", 60}, "dl3.checkpoint.com": "CheckPoint Harmony",
{"ussus3westprod.blob.core.windows.net", 60}, "cloudinfra-gw.portal.checkpoint.com": "CheckPoint Harmony",
{"wsus1eastprod.blob.core.windows.net", 60}, "gwevents.checkpoint.com": "CheckPoint Harmony",
{"wsuk1westprod.blob.core.windows.net", 60}, "teadv.checkpoint.com": "CheckPoint Harmony",
{"ussus2eastprod.blob.core.windows.net", 60}, "services.checkpoint.com": "CheckPoint Harmony",
{"usseu1northprod.blob.core.windows.net", 60},
{"wsus1westprod.blob.core.windows.net", 60},
{"usseu1westprod.blob.core.windows.net", 60},
{"ussus1eastprod.blob.core.windows.net", 60},
{"ussuk1westprod.blob.core.windows.net", 60},
{"ussus4eastprod.blob.core.windows.net", 60},
{"wseu1westprod.blob.core.windows.net", 60},
{"ussuk1southprod.blob.core.windows.net", 60},
{"ussus3eastprod.blob.core.windows.net", 60},
{"ussus4westprod.blob.core.windows.net", 60},
{"wsuk1southprod.blob.core.windows.net", 60},
}
// VMWare Carbon Black // Cybereason
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls // https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
// https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/cb-edr-scm-guide/GUID-3117FB54-5D0F-46C1-8372-BF3784D27CFF.html "cybereason.com": "Cybereason",
// restricted: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295 "probe-dist.cybereason.net": "Cybereason",
var domains_carbonblack = []Pair{ "data-epgw.cybereason.net": "Cybereason",
{"defense-prod05.conferdeploy.net", 60}, "probe-dist-eu-west-1.cybereason.net": "Cybereason",
{"console.cloud.vmware.com", 60}, "data-epgw-eu-west-1.cybereason.net": "Cybereason",
{"updates2.cdc.carbonblack.io", 300}, "probe-dist-asia-northeast-1.cybereason.net": "Cybereason",
{"dashboard.confer.net", 300}, "data-epgw-asia-northeast-1.cybereason.net": "Cybereason",
{"console.cloud-us-gov.vmware.com", 300},
{"ew2.carbonblackcloud.vmware.com", 30},
{"defense.conferdeploy.net", 60},
{"carbonblack.io", 60},
{"carbonblack.vmware.com", 86400},
{"defense-prodnrt.conferdeploy.net", 60},
{"updates.cdc.carbonblack.io", 60},
{"gprd1usgw1.carbonblack-us-gov.vmware.com", 3600},
{"defense-prodsyd.conferdeploy.net", 60},
{"carbonblack.com", 300},
{"defense-eap01.conferdeploy.net", 60},
{"defense-eu.conferdeploy.net", 60},
{"api.alliance.carbonblack.com", 600},
{"api2.alliance.carbonblack.com", 600},
{"threatintel.bit9.com", 3600},
{"yum.distro.carbonblack.io", 300},
}
// CrowdStrike Falcon // FireEye / Trellix
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements // https://kcm.trellix.com/corporate/index?page=content&id=KB90878
var domains_crowdstrike = []Pair{ "api.manage.trellix.com": "Trellix",
{"falcon.us-2.crowdstrike.com", 120}, "uam.api.trellix.com": "Trellix",
{"falcon.crowdstrike.com", 60}, "cdn-usw001.manage.trellix.com": "Trellix",
{"ts01-gyr-maverick.cloudsink.net", 60}, "sw-usw001.manage.trellix.com": "Trellix",
// {"us-gov-2.crowdstrike.com", 0}, "cdn-usw002.manage.trellix.com": "Trellix",
{"api.crowdstrike.com", 300}, "sw-usw002.manage.trellix.com": "Trellix",
{"ts01-b.cloudsink.net", 1800}, "cdn-usw003.manage.trellix.com": "Trellix",
// {"firehose.us-gov-2.crowdstrike.com", 0}, "sw-usw003.manage.trellix.com": "Trellix",
{"assets.falcon.eu-1.crowdstrike.com", 120}, "cdn-usw004.manage.trellix.com": "Trellix",
{"api.eu-1.crowdstrike.com", 60}, "sw-usw004.manage.trellix.com": "Trellix",
{"lfodown01-b.cloudsink.net", 1800}, "cdn-sgp001.manage.trellix.com": "Trellix",
{"assets-public.falcon.crowdstrike.com", 60}, "sw-sgp001.manage.trellix.com": "Trellix",
{"assets.falcon.us-2.crowdstrike.com", 120}, "cdn-eu001.manage.trellix.com": "Trellix",
{"api.us-2.crowdstrike.com", 120}, "sw-eu001.manage.trellix.com": "Trellix",
{"assets-public.us-2.falcon.crowdstrike.com", 120}, "cdn-au001.manage.trellix.com": "Trellix",
{"firehose.laggar.gcw.crowdstrike.com", 60}, "sw-au001.manage.trellix.com": "Trellix",
{"ts01-lanner-lion.cloudsink.net", 60}, "cdn-ind001.manage.trellix.com": "Trellix",
{"lfoup01-lanner-lion.cloudsink.net", 1800}, "sw-ind001.manage.trellix.com": "Trellix",
{"assets-public.falcon.eu-1.crowdstrike.com", 120}, "cds-usw001.manage.trellix.com": "Trellix",
{"crowdstrike.com", 300}, "cds-usw002.manage.trellix.com": "Trellix",
{"lfoup01-gyr-maverick.cloudsink.net", 1800}, "cds-usw003.manage.trellix.com": "Trellix",
{"lfoup01-b.cloudsink.net", 1800}, "cds-usw004.manage.trellix.com": "Trellix",
{"ts01-laggar-gcw.cloudsink.net", 60}, "dxl-usw001.manage.trellix.com": "Trellix",
{"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com", 60}, "dxl-usw002.manage.trellix.com": "Trellix",
{"ts01-us-gov-2.cloudsink.net", 1800}, "dxl-usw003.manage.trellix.com": "Trellix",
{"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com", 60}, "dxl-usw004.manage.trellix.com": "Trellix",
{"assets.falcon.crowdstrike.com", 60}, "dxlweb-usw001.manage.trellix.com": "Trellix",
{"lfodown01-lanner-lion.cloudsink.net", 60}, "dxlweb-usw002.manage.trellix.com": "Trellix",
{"falcon.laggar.gcw.crowdstrike.com", 60}, "dxlweb-usw003.manage.trellix.com": "Trellix",
{"firehose.us-2.crowdstrike.com", 120}, "dxlweb-usw004.manage.trellix.com": "Trellix",
{"firehose.eu-1.crowdstrike.com", 120},
{"lfodown01-laggar-gcw.cloudsink.net", 60},
{"api.laggar.gcw.crowdstrike.com", 60},
{"lfodown01-gyr-maverick.cloudsink.net", 60},
{"lfodown01-us-gov-2.cloudsink.net", 1800},
{"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com", 60},
{"firehose.crowdstrike.com", 300},
{"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com", 60},
}
// Harmony / CheckPoint // Cortex XDR / Palo Alto Networks
// https://support.checkpoint.com/results/sk/sk116590 // https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
var domains_checkpoint = []Pair{ "paloaltonetworks.com": "Palo Alto Networks",
{"rep.checkpoint.com", 1800}, "lrc-us.paloaltonetworks.com": "Palo Alto Networks",
{"threat-emulation.checkpoint.com", 1800}, "lrc-eu.paloaltonetworks.com": "Palo Alto Networks",
{"sc1.checkpoint.com", 1800}, "lrc-ca.paloaltonetworks.com": "Palo Alto Networks",
{"gwevents.checkpoint.com", 300}, "lrc-uk.paloaltonetworks.com": "Palo Alto Networks",
{"gwevents.us.checkpoint.com", 180}, "lrc-jp.paloaltonetworks.com": "Palo Alto Networks",
{"endpoint-cdn.epmgmt.checkpoint.com", 300}, "lrc-sg.paloaltonetworks.com": "Palo Alto Networks",
// {"checkpoint.com", 25}, <- dynamic ttl "lrc-au.paloaltonetworks.com": "Palo Alto Networks",
{"kav8.checkpoint.com", 1800}, "lrc-de.paloaltonetworks.com": "Palo Alto Networks",
{"cloudinfra-gw.portal.checkpoint.com", 60}, "lrc-in.paloaltonetworks.com": "Palo Alto Networks",
{"datatube-prod.azurewebsites.net", 30}, "lrc-ch.paloaltonetworks.com": "Palo Alto Networks",
{"updates.checkpoint.com", 1800}, "lrc-pl.paloaltonetworks.com": "Palo Alto Networks",
{"ep-repo.epmgmt.checkpoint.com", 300}, "lrc-tw.paloaltonetworks.com": "Palo Alto Networks",
{"file-rep.iaas.checkpoint.com", 60}, "lrc-qt.paloaltonetworks.com": "Palo Alto Networks",
{"threatcloud.iaas.checkpoint.com", 60}, "lrc-fa.paloaltonetworks.com": "Palo Alto Networks",
{"dl3.checkpoint.com", 1800}, "panw-xdr-evr-prod-us.storage.googleapis.com": "Palo Alto Networks",
{"secureupdates.checkpoint.com", 1800}, "panw-xdr-evr-prod-eu.storage.googleapis.com": "Palo Alto Networks",
{"epm-gw-eu.epmgmt.checkpoint.com", 86400}, "panw-xdr-evr-prod-ca.storage.googleapis.com": "Palo Alto Networks",
{"url-rep.iaas.checkpoint.com", 60}, "panw-xdr-evr-prod-uk.storage.googleapis.com": "Palo Alto Networks",
{"te.iaas.checkpoint.com", 60}, "panw-xdr-evr-prod-jp.storage.googleapis.com": "Palo Alto Networks",
{"services.checkpoint.com", 1800}, "panw-xdr-evr-prod-sg.storage.googleapis.com": "Palo Alto Networks",
{"europe-west1-datatube-240519.cloudfunctions.net", 300}, "panw-xdr-evr-prod-au.storage.googleapis.com": "Palo Alto Networks",
{"cws.checkpoint.com", 1800}, "panw-xdr-evr-prod-de.storage.googleapis.com": "Palo Alto Networks",
{"teadv.checkpoint.com", 1800}, "panw-xdr-evr-prod-in.storage.googleapis.com": "Palo Alto Networks",
{"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net", 300}, "panw-xdr-evr-prod-ch.storage.googleapis.com": "Palo Alto Networks",
{"te.checkpoint.com", 1800}, "panw-xdr-evr-prod-pl.storage.googleapis.com": "Palo Alto Networks",
{"hap2.epmgmt.checkpoint.com", 300}, "panw-xdr-evr-prod-tw.storage.googleapis.com": "Palo Alto Networks",
{"hap21.epmgmt.checkpoint.com", 300}, "panw-xdr-evr-prod-qt.storage.googleapis.com": "Palo Alto Networks",
{"hap5.epmgmt.checkpoint.com", 300}, "panw-xdr-evr-prod-fa.storage.googleapis.com": "Palo Alto Networks",
{"hap51.epmgmt.checkpoint.com", 300}, "panw-xdr-installers-prod-us.storage.googleapis.com": "Palo Alto Networks",
{"hap1.epmgmt.checkpoint.com", 300}, "panw-xdr-payloads-prod-us.storage.googleapis.com": "Palo Alto Networks",
{"hap11.epmgmt.checkpoint.com", 300}, "global-content-profiles-policy.storage.googleapis.com": "Palo Alto Networks",
{"hap3.epmgmt.checkpoint.com", 300}, "login.paloaltonetworks.com": "Palo Alto Networks",
{"hap31.epmgmt.checkpoint.com", 300}, "pendo-static-5664029141630976.storage.googleapis.com": "Palo Alto Networks",
{"hap4.epmgmt.checkpoint.com", 300},
{"hap41.epmgmt.checkpoint.com", 300},
{"ftp-proxy.checkpoint.com", 1800},
{"web-rep.checkpoint.com", 1800},
}
// Cybereason // Singularity / SentinelOne
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html "sentinelone.com": "SentinelOne",
var domains_cybereason = []Pair{ "xdr.intus1.sentinelone.net": "SentinelOne",
{"data-epgw-eu-west-1.cybereason.net", 300}, "console.mobile.sentinelone.net": "SentinelOne",
{"probe-dist-asia-northeast-1.cybereason.net", 60}, "content.mobile.sentinelone.net": "SentinelOne",
{"data-epgw-asia-northeast-1.cybereason.net", 300}, "device-api.mobile.sentinelone.net": "SentinelOne",
{"probe-dist.cybereason.net", 300}, "eu1-acceptor.mobile.sentinelone.net": "SentinelOne",
{"probe-dist-eu-west-1.cybereason.net", 300}, "eu1-console.mobile.sentinelone.net": "SentinelOne",
{"probe-dist-dns.cybereason.net", 3600}, "eu1-content.mobile.sentinelone.net": "SentinelOne",
{"data-epgw.cybereason.net", 300}, "eu1-device-api.mobile.sentinelone.net": "SentinelOne",
{"cybereason.com", 600}, "eu1-oauth.mobile.sentinelone.net": "SentinelOne",
} "eu1-panel.mobile.sentinelone.net": "SentinelOne",
"eu1-qi.mobile.sentinelone.net": "SentinelOne",
"eu1-token.mobile.sentinelone.net": "SentinelOne",
"eu1-vpc.mobile.sentinelone.net": "SentinelOne",
"ut.sentinelone.net": "SentinelOne",
"oauth.mobile.sentinelone.net": "SentinelOne",
"panel.mobile.sentinelone.net": "SentinelOne",
// FireEye / Trellix // Symantec / Broadcom
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878 // https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html
var domains_trellix = []Pair{ "symantec.com": "Symantec",
{"epo.trellix.com", 300}, "remotetunnel1.edrc.symantec.com": "Symantec",
{"s-download.trellix.com", 300}, "remotetunnel2.edrc.symantec.com": "Symantec",
{"lc.trellix.com", 300}, "remotetunnel3.edrc.symantec.com": "Symantec",
{"manage.trellix.com", 60}, "remotetunnel4.edrc.symantec.com": "Symantec",
{"cds-usw001.manage.trellix.com", 60}, "remotetunnel5.edrc.symantec.com": "Symantec",
{"cdn-usw002.manage.trellix.com", 60}, "api-gateway.symantec.com": "Symantec",
{"cdn-usw001.manage.trellix.com", 60}, "liveupdate.symantec.com": "Symantec",
{"cdn-usw003.manage.trellix.com", 60}, "ratings-wrs.symantec.com": "Symantec",
{"auth.ui.trellix.com", 60}, "stnd-avpg.crsi.symantec.com": "Symantec",
{"uam.api.trellix.com", 60}, "stnd-ipsg.crsi.symantec.com": "Symantec",
{"api.manage.trellix.com", 60}, "central.b6.crsi.symantec.com": "Symantec",
{"cds-usw002.manage.trellix.com", 60}, "bash-avpg.crsi.symantec.com": "Symantec",
{"trellix.com", 60}, "swupdate.brightmail.com": "Symantec",
{"dxlweb-usw001.manage.trellix.com", 60}, "shasta-rrs.symantec.com": "Symantec",
{"cds-usw003.manage.trellix.com", 60}, "shasta-mrs.symantec.com": "Symantec",
{"cdn-sgp001.manage.trellix.com", 60}, "datafeedapi.symanteccloud.com": "Symantec",
{"dxlweb-usw002.manage.trellix.com", 60}, "telemetry.broadcom.com": "Symantec",
{"cdn-ind001.manage.trellix.com", 60}, "sso1.edrc.symantec.com": "Symantec",
{"dxl-usw002.manage.trellix.com", 60},
{"dxl-usw001.manage.trellix.com", 60},
{"dxlweb-usw003.manage.trellix.com", 60},
{"cds-usw004.manage.trellix.com", 60},
{"cdn-au001.manage.trellix.com", 60},
{"dxlweb-usw004.manage.trellix.com", 60},
{"cdn-usw004.manage.trellix.com", 60},
{"dxl-usw004.manage.trellix.com", 60},
{"dxl-usw003.manage.trellix.com", 60},
{"cdn-eu001.manage.trellix.com", 60},
{"iam.cloud.trellix.com", 10},
{"iam-rs.cloud.trellix.com", 10},
{"gsd.cloud.trellix.com", 10},
{"d2c-us-west-2.manage.trellix.com", 60},
{"d2c-eu-central-1.manage.trellix.com", 60},
{"dxlweb-sgp001.manage.trellix.com", 60},
{"dxl-sgp001.manage.trellix.com", 60},
{"dxl-eu001.manage.trellix.com", 60},
{"dxlweb-eu001.manage.trellix.com", 60},
{"dxl-au001.manage.trellix.com", 60},
{"dxlweb-au001.manage.trellix.com", 60},
{"dxl-ind001.manage.trellix.com", 60},
{"dxlweb-ind001.manage.trellix.com", 60},
{"ui-usw001.manage.trellix.com", 60},
{"ui-usw002.manage.trellix.com", 60},
{"ui-usw003.manage.trellix.com", 60},
{"ui-usw004.manage.trellix.com", 60},
{"ui-sgp001.manage.trellix.com", 60},
{"ui-eu001.manage.trellix.com", 60},
{"ui-au001.manage.trellix.com", 60},
{"ui-ind001.manage.trellix.com", 60},
{"ah-usw001.manage.trellix.com", 60},
{"ah-usw002.manage.trellix.com", 60},
{"ah-usw003.manage.trellix.com", 60},
{"ah-usw004.manage.trellix.com", 60},
{"ah-sgp001.manage.trellix.com", 60},
{"ah-eu001.manage.trellix.com", 60},
{"ah-au001.manage.trellix.com", 60},
{"ah-ind001.manage.trellix.com", 60},
}
// Cortex XDR / Palo Alto Networks // Tanium
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access "tanium.com": "Tanium",
var domains_paloalto = []Pair{ "shared.prd-int-manage.mdm.cloud.tanium.com": "Tanium",
{"panw-xdr-evr-prod-au.storage.googleapis.com", 300}, "shared.prd-int.mdm.cloud.tanium.com": "Tanium",
{"lrc-eu.paloaltonetworks.com", 14400}, "shared.prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
{"global-content-profiles-policy.storage.googleapis.com", 300}, "shared.prd-us-1.mdm.cloud.tanium.com": "Tanium",
{"panw-xdr-evr-prod-uk.storage.googleapis.com", 300}, "prd-int-manage.mdm.cloud.tanium.com": "Tanium",
{"lrc-ch.paloaltonetworks.com", 14400}, "prd-int.mdm.cloud.tanium.com": "Tanium",
{"lrc-jp.paloaltonetworks.com", 14400}, "prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
{"panw-xdr-evr-prod-qt.storage.googleapis.com", 300}, "prd-us-1.mdm.cloud.tanium.com": "Tanium",
{"panw-xdr-evr-prod-pl.storage.googleapis.com", 300}, "prd.mdm.cloud.tanium.com": "Tanium",
{"pendo-static-5664029141630976.storage.googleapis.com", 300}, "jp.tanium.com": "Tanium",
{"panw-xdr-evr-prod-sg.storage.googleapis.com", 300}, "docs-es.tanium.com": "Tanium",
{"lrc-uk.paloaltonetworks.com", 14400}, "docs-fr.tanium.com": "Tanium",
{"lrc-us.paloaltonetworks.com", 14400}, "docs-ko.tanium.com": "Tanium",
{"lrc-tw.paloaltonetworks.com", 1800},
{"panw-xdr-evr-prod-eu.storage.googleapis.com", 300},
{"lrc-ca.paloaltonetworks.com", 14400},
{"paloaltonetworks.com", 30},
// {"lrc-fa.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-in.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-fa.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-ca.storage.googleapis.com", 300},
{"lrc-pl.paloaltonetworks.com", 14400},
{"lrc-qt.paloaltonetworks.com", 300},
{"panw-xdr-evr-prod-us.storage.googleapis.com", 300},
{"lrc-de.paloaltonetworks.com", 300},
{"panw-xdr-installers-prod-us.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-ch.storage.googleapis.com", 300},
{"lrc-in.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-de.storage.googleapis.com", 300},
{"lrc-au.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-tw.storage.googleapis.com", 300},
{"login.paloaltonetworks.com", 14400},
{"lrc-sg.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-jp.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-us.storage.googleapis.com", 300},
{"distributions.traps.paloaltonetworks.com", 300},
{"distributions-prod-fed.traps.paloaltonetworks.com", 300},
{"cortex-gateway.paloaltonetworks.com", 30},
{"gw-app-proxy.us.paloaltonetworks.com", 300},
{"xdr-ova-installers-prod-us.storage.googleapis.com", 300},
{"identity.paloaltonetworks.com", 300},
{"identity.gslb.paloaltonetworks.com", 5},
{"identity.gcp.gslb.paloaltonetworks.com", 5},
{"lrc-fed.paloaltonetworks.com", 14400},
{"panw-xdr-installers-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-fr.storage.googleapis.com", 300},
{"global-content-profiles-policy-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-fr.storage.googleapis.com", 300},
{"app-proxy.federal.paloaltonetworks.com", 300},
}
// Singularity / SentinelOne // Aurora
var domains_sentinelone = []Pair{ // https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
{"eu1-oauth.mobile.sentinelone.net", 300}, "update-102.nextron-systems.com": "Nextron Aurora",
{"eu1-qi.mobile.sentinelone.net", 300}, "update-201.nextron-systems.com": "Nextron Aurora",
{"console.mobile.sentinelone.net", 300}, "update-202.nextron-systems.com": "Nextron Aurora",
{"sentinelone.com", 300}, "update-aurora.nextron-systems.com": "Nextron Aurora",
{"eu1-console.mobile.sentinelone.net", 300}, "update-lite.nextron-systems.com": "Nextron Aurora",
{"eu1-content.mobile.sentinelone.net", 300},
{"panel.mobile.sentinelone.net", 300},
{"oauth.mobile.sentinelone.net", 300},
{"xdr.intus1.sentinelone.net", 60},
{"eu1-device-api.mobile.sentinelone.net", 300},
{"eu1-vpc.mobile.sentinelone.net", 300},
{"eu1-acceptor.mobile.sentinelone.net", 300},
{"login.sentinelone.net", 300},
{"device-api.mobile.sentinelone.net", 300},
{"eu1-panel.mobile.sentinelone.net", 300},
{"eu1-token.mobile.sentinelone.net", 300},
{"content.mobile.sentinelone.net", 300},
{"ut.sentinelone.net", 300},
}
// Symantec / Broadcom // Trend Micro
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/urls-to-whitelist-for-v129099891-d4155e9710.html // https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
var domains_symantec = []Pair{ // https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
{"liveupdate.symantec.com", 3600}, "api.eu.nacloud.trendmicro.com": "Trend Micro",
{"liveupdate.symantecliveupdate.com", 600}, "api.jp.nacloud.trendmicro.com": "Trend Micro",
{"shasta-rrs.symantec.com", 1800}, "api.sg.nacloud.trendmicro.com": "Trend Micro",
{"ent-shasta-rrs.symantec.com", 1800}, "api.us.nacloud.trendmicro.com": "Trend Micro",
{"ent-shasta-mr-clean.symantec.com", 1800}, "docs.trendmicro.com": "Trend Micro",
{"symantec.com", 600}, "licenseupdate.trendmicro.com": "Trend Micro",
{"sp.cwfservice.net", 600}, "api.nacloud.trendmicro.com": "Trend Micro",
{"us.spoc.securitycloud.symantec.com", 600}, "trendmicro.com": "Trend Micro",
{"eu.spoc.securitycloud.symantec.com", 600}, "files.trendmicro.com": "Trend Micro",
{"in.spoc.securitycloud.symantec.com", 3600}, "xdr.trendmicro.com": "Trend Micro",
{"telemetry.broadcom.com", 3600}, "xdr.trendmicro.co.jp": "Trend Micro",
{"tses.broadcom.com", 30}, "trenddefense.com": "Trend Micro",
{"central.b6.crsi.symantec.com", 1800}, "ddd53-p.activeupdate.trendmicro.com": "Trend Micro",
{"central.ss.crsi.symantec.com", 1800}, "ddd53-threatconnect.trendmicro.com": "Trend Micro",
{"central.nrsi.symantec.com", 1800}, "threatconnect.trendmicro.com": "Trend Micro",
{"central.avsi.symantec.com", 1800}, "cloudone.trendmicro.com": "Trend Micro",
{"central.crsi.symantec.com", 1800},
{"shasta-mrs.symantec.com", 1800},
{"shasta-clt.symantec.com", 1800},
{"stnd-avpg.crsi.symantec.com", 1800},
{"avs-avpg.crsi.symantec.com", 1800},
{"stnd-ipsg.crsi.symantec.com ", 1800},
{"bash-avpg.crsi.symantec.com", 1800},
{"tus1gwynwapex01.symantec.com", 3600},
{"pod.threatpulse.com", 120},
{"faults.qalabs.symantec.com", 1800},
{"faults.symantec.com", 1800},
{"linux-repo-us.securityalliance.cloud", 86400},
{"usea1.r3.securitycloud.symantec.com", 3600},
{"euws1.r3.securitycloud.symantec.com", 3600},
{"inso1.r3.securitycloud.symantec.com", 3600},
{"datafeedapi.symanteccloud.com", 300},
{"us.spoc.securitycloud.symantec.com", 600},
{"eu.spoc.securitycloud.symantec.com ", 600},
{"in.spoc.securitycloud.symantec.com", 3600},
{"uploads.sep.securitycloud.symantec.com", 3600},
{"uploads.sep.eu.securitycloud.symantec.com ", 3600},
{"uploads.sep.in.securitycloud.symantec.com", 3600},
{"ws.securitycloud.symantec.com", 600},
{"bds.securitycloud.symantec.com", 600},
{"ws.eu.securitycloud.symantec.com", 3600},
{"bds.eu.securitycloud.symantec.com", 3600},
{"ws.in.securitycloud.symantec.com ", 3600},
{"bds.in.securitycloud.symantec.com", 3600},
{"cdn.sepmobile.securitycloud.symantec.com", 300},
{"mitm.sepmobile.securitycloud.symantec.com", 300},
{"services-prod.symantec.com", 600},
{"sep.securitycloud.symantec.com", 3600},
{"sep.eu.securitycloud.symantec.com", 3600},
{"sep.in.securitycloud.symantec.com", 3600},
{"avagoext.okta.com", 300},
{"accounts.saas.broadcomcloud.com", 3600},
{"api.sep.securitycloud.symantec.com", 86400},
{"api.sep.eu.securitycloud.symantec.com", 3600},
{"api.sep.in.securitycloud.symantec.com", 3600},
{"knowledge.broadcom.com", 3600},
{"support.broadcom.com", 300},
{"casupport.broadcom.com", 300},
{"login.broadcom.com", 3600},
{"ced.broadcom.com", 3600},
{"ratings-wrs.symantec.com", 3600},
{"api-gateway.symantec.com", 3600},
{"swupdate.brightmail.com", 3600},
{"licensing.dmas.symantec.com", 3600},
{"api.us.dmas.symantec.com", 300},
{"api.eu.dmas.symantec.com", 300},
}
// Tanium
var domains_tanium = []Pair{
{"content.tanium.com", 300},
{"docs-es.tanium.com", 300},
{"docs-fr.tanium.com", 300},
{"tanium.com", 300},
{"go2.tanium.com", 300},
{"learn.tanium.com", 300},
{"som.cloud.tanium.com", 60},
{"download.tanium.com", 300},
{"fnf-api.cloud.tanium.com", 60},
{"community.tanium.com", 300},
{"3.distribute.cloud.tanium.com", 300},
{"content.tanium.com", 300},
{"help.tanium.com", 300},
{"docs.tanium.com", 300},
{"moveit.tanium.com", 300},
{"kb.tanium.com", 300},
}
// Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
var domains_aurora = []Pair{
{"update-aurora.nextron-systems.com", 60},
{"update-102.nextron-systems.com", 60},
{"update-202.nextron-systems.com", 60},
{"update-201.nextron-systems.com", 60},
{"update-lite.nextron-systems.com", 60},
}
// Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
var domains_trendmicro = []Pair{
{"xdr.trendmicro.co.jp", 60},
{"files.trendmicro.com", 1800},
{"api.nacloud.trendmicro.com", 60},
{"cloudone.trendmicro.com", 60},
{"ddd53-p.activeupdate.trendmicro.com", 1800},
{"trenddefense.com", 300},
{"threatconnect.trendmicro.com", 1800},
{"api.sg.nacloud.trendmicro.com", 60},
{"trendmicro.com", 1800},
{"api.jp.nacloud.trendmicro.com", 60},
{"api.eu.nacloud.trendmicro.com", 60},
{"docs.trendmicro.com", 1800},
{"api.us.nacloud.trendmicro.com", 60},
{"ddd53-threatconnect.trendmicro.com", 1800},
{"licenseupdate.trendmicro.com", 1800},
{"xdr.trendmicro.com", 60},
}
// Rapid7 InsightIDR
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
var domains_rapid7 = []Pair{
{"data.insight.rapid7.com", 60},
{"us2.data.insight.rapid7.com", 30},
{"us3.data.insight.rapid7.com", 30},
{"eu.data.insight.rapid7.com", 30},
{"ca.data.insight.rapid7.com", 30},
{"au.data.insight.rapid7.com", 30},
{"ap.data.insight.rapid7.com", 30},
{"endpoint.ingress.rapid7.com", 300},
{"us2.endpoint.ingress.rapid7.com", 300},
{"us3.endpoint.ingress.rapid7.com", 300},
{"eu.endpoint.ingress.rapid7.com", 300},
{"ca.endpoint.ingress.rapid7.com", 300},
{"au.endpoint.ingress.rapid7.com", 300},
{"ap.endpoint.ingress.rapid7.com", 300},
{"us.storage.endpoint.ingress.rapid7.com", 86400},
{"us.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us2.storage.endpoint.ingress.rapid7.com", 86400},
{"us2.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us3.storage.endpoint.ingress.rapid7.com", 86400},
{"us3.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"eu.storage.endpoint.ingress.rapid7.com", 86400}, // not certain
{"eu.bootstrap.endpoint.ingress.rapid7.com", 86400}, // not certain
{"ca.storage.endpoint.ingress.rapid7.com", 86400},
{"ca.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"au.storage.endpoint.ingress.rapid7.com", 86400},
{"au.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"ap.storage.endpoint.ingress.rapid7.com", 86400},
{"ap.bootstrap.endpoint.ingress.rapid7.com", 86400},
} }

14
go.mod
View File

@ -1,13 +1,11 @@
module patdown module patdown
go 1.22.6 go 1.21.0
require github.com/miekg/dns v1.1.62
require ( require (
golang.org/x/mod v0.18.0 // indirect github.com/miekg/dns v1.1.57 // indirect
golang.org/x/net v0.27.0 // indirect golang.org/x/mod v0.12.0 // indirect
golang.org/x/sync v0.7.0 // indirect golang.org/x/net v0.17.0 // indirect
golang.org/x/sys v0.22.0 // indirect golang.org/x/sys v0.13.0 // indirect
golang.org/x/tools v0.22.0 // indirect golang.org/x/tools v0.13.0 // indirect
) )

22
go.sum
View File

@ -1,12 +1,10 @@
github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=