Compare commits

..

12 Commits
v1.0 ... main

10 changed files with 919 additions and 520 deletions

View File

@ -1,6 +1,63 @@
# patdown
> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
<p align="center">
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
> Remotely predicts and identifies the presence of EDR/XDR solutions on networks
<p align="center">
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
</p>
## Abstract
patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
## Installation
Retrieve a binary corresponding to your architecture from **Releases**
*or*
`git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
## Usage
```
d | target fqdn (not as reliable, prone to false positives)
n | nameserver to query (can be specified multiple times)
v | enable verbosity [false]
t | threads [5]
s | delay between requests in milliseconds, per thread [250]
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
```
## Currently Identified Vendors/Solutions:
- [x] **CrowdStrike** Falcon
- [x] **Microsoft** Defender for Endpoint
- [x] **VMWare** Carbon Black
- [x] **Check Point** Harmony
- [x] **Cybereason** EDR
- [x] **Trellix** EDR
- [x] **Palo Alto Networks** Cortex XDR
- [x] **SentinelOne** Singularity
- [x] **Symantec** Endpoint Security
- [x] **Tanium** EDR
- [x] **Nextron** Aurora
- [x] **Trend Micro** Endpoint Sensor
- [x] **Rapid7** InsightIDR
- [ ] **ESET** Inspect
- [ ] **Harfanglab** EDR
- [ ] **Limacharlie** EDR
- [ ] **Elastic** Security
- [ ] **Qualys** EDR
- [ ] **Uptycs** XDR
- [ ] **WatchGuard** EDR

View File

@ -1,151 +1,36 @@
package main
import (
"flag"
"fmt"
"time"
"patdown/common"
"github.com/miekg/dns"
)
type multiflag []string
type Pair struct {
Nameserver string
Domain string
}
func (m *multiflag) String() string {
return "irc.supernets.org #superbowl"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
var (
domain = flag.String("t", "", "")
workers = flag.Int("c", 100, "")
delay = flag.Int("s", 100, "")
nameserver multiflag
)
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
return msg
}
func query(q <-chan Pair, tracker chan<- interface{}) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
common.Error(err.Error())
continue
}
if len(in.Answer) > 0 {
fmt.Printf("[%s] associated domain %s found on %s\n", common.Vendors[common.Domains[pair.Domain]], pair.Domain, pair.Nameserver)
}
time.Sleep(time.Duration(*delay) * time.Millisecond)
}
tracker <- 1337
}
func testns(ns string) error {
msg := message("supernets.org", dns.TypeA, false)
_, err := dns.Exchange(msg, ns+":53")
if err != nil {
return err
}
return nil
}
func testreq() bool {
msg := message("cloudflare.com", dns.TypeA, false)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func main() {
flag.Var(&nameserver, "n", "nameserver to query")
flag.Usage = common.Usage
flag.Parse()
var nameservers []string
pairs := make(chan Pair)
tracker := make(chan interface{})
common.LoadArgs()
var servers []string
common.Banner()
if *domain != "" {
// query domain for nameservers
nsmsg := message(*domain, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
panic(err)
}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
} else if len(nameserver) > 0 {
for _, ns := range nameserver {
nameservers = append(nameservers, ns)
autodetect := common.Params.Domain != ""
if autodetect {
if servers = common.PullNS(common.Params.Domain); len(servers) == 0 {
common.Fatal("no nameservers found for " + common.Params.Domain)
}
common.Info(fmt.Sprintf("retrieved %s%d%s nameservers for %s", common.ColorGreen, len(servers), common.ColorReset, common.Params.Domain))
} else if len(common.Params.Nservers) > 0 {
servers = common.Params.Nservers
} else {
// print usage
common.Usage()
return
common.Fatal("provide a domain or nameservers to target")
}
if !testreq() {
common.Fatal("non-recursive queries are being refused, are you on a very dirty box or VPN?")
if !common.NeutralReq() {
common.Fatal("neutral dns check failed, are you on a dirty box or vpn?")
}
common.Info("aggregating nameservers...")
for i, ns := range nameservers {
if err := testns(ns); err != nil {
common.Error("nameserver " + ns + " is not responding")
nameservers = append(nameservers[:i], nameservers[i+1:]...)
}
valid := common.ParseNS(servers)
if len(valid) == 0 {
common.Fatal("no servers responded to trial probes, they're either down or they don't like your IP")
}
common.Info(fmt.Sprintf("snooping caches on %d resolvers...", len(nameservers)))
go func() {
for i := 0; i < *workers; i++ {
query(pairs, tracker)
}
}()
for _, ns := range nameservers {
for k, _ := range common.Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
for x := 0; x < *workers; x++ {
<-tracker
}
common.Takeoff(valid)
}

39
common/args.go Normal file
View File

@ -0,0 +1,39 @@
package common
import "flag"
type multiflag []string
type Config struct {
Domain string
Threads int
Delay int
Nservers []string
Verbose bool
}
var (
domain = flag.String("d", "", "")
workers = flag.Int("t", 5, "")
delay = flag.Int("s", 250, "")
verbose = flag.Bool("v", false, "")
nsarg multiflag
Params Config
)
func (m *multiflag) String() string {
return "front page maximum wage"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
func LoadArgs() {
flag.Var(&nsarg, "n", "")
flag.Usage = Usage
flag.Parse()
Params = Config{Domain: *domain, Threads: *workers, Delay: *delay, Nservers: nsarg, Verbose: *verbose}
}

View File

@ -1,87 +0,0 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
)
func Banner() {
fmt.Printf(`%s
.------..------..------..------..------..------..------.
|%s%sP%s%s.--. ||%s%sA%s%s.--. ||%s%sT%s%s.--. ||%s%sD%s%s.--. ||%s%sO%s%s.--. ||%s%sW%s%s.--. ||%s%sN%s%s.--. |
| :/\: || (\/) || :/\: || :/\: || :/\: || :/\: || :(): |
| (__) || :\/: || (__) || (__) || :\/: || :\/: || ()() |
| '--'P|| '--'A|| '--'T|| '--'D|| '--'O|| '--'W|| '--'N|
'------''------''------''------''------''------''------'
%s%s sincerely,
~ delorean%s
`, ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset)
}
func Usage() {
fmt.Fprintf(os.Stderr, `patdown usage:
(%s-t%s) - target domain
(%s-n%s) - specific nameserver to snoop, can be multiple
(%s-c%s) - concurrent threads [%s100%s]
(%s-s%s) - delay between queries, per thread, in milliseconds [%s100%s]
%se.g.%s
patdown -t supernets.org
patdown -n ns1.supernets.org -n ns2.supernets.org
patdown -t supernets.org -c 50 -s 500
`, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset)
}
var Vendors = map[string]string{
"Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m",
"VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m",
"CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m",
"CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m",
"Cybereason": "\033[93mCybereason\033[0m",
"Trellix": "\033[32mTrellix\033[0m",
"Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m",
"SentinelOne": "\033[35mSentinelOne\033[0m",
"Symantec": "\033[93mSymantec\033[0m",
"Tanium": "\033[31mTanium\033[0m",
"Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m",
"Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m",
}
func Success(msg string) {
fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg)
}
func Warning(msg string) {
fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

96
common/exec.go Normal file
View File

@ -0,0 +1,96 @@
package common
import (
"fmt"
"os"
)
func scan(nameservers []Nameserver, threads, delay int, recursive, single bool) {
queries := make(chan Query)
tab := make(chan interface{})
if !recursive {
Info(fmt.Sprintf("performing non-recursive lookups against %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQuery(queries, tab, delay)
}
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
Warn("recursive snooping can only be done once, as it populates the nameserver's cache")
Info(fmt.Sprintf("recursively snooping on %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQueryRA(queries, tab, delay)
}
if !single {
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: nameservers[0].Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
}
close(queries)
}
func Takeoff(nameservers []Nameserver) {
var nonrns, rns []Nameserver
for _, ns := range nameservers {
if ns.Recursive {
rns = append(rns, ns)
}
if ns.NonRA {
nonrns = append(nonrns, ns)
}
}
if len(nonrns) == 0 && len(rns) == 0 {
Fatal("no valid nameservers available for probing, they may be down or they don't like your IP")
}
recursive := false
for {
if !recursive {
if len(nonrns) > 0 {
scan(nonrns, Params.Threads, Params.Delay, false, false)
} else {
for {
Info(fmt.Sprintf("non-recursive lookups not viable on these servers, perform recursive snooping? %s(less reliable, can only be done once per server)%s",
ColorRed, ColorReset))
fmt.Printf("%s `--(y/n):%s ", ColorCyan, ColorReset)
var input string
fmt.Scanln(&input)
if input == "y" {
recursive = true
break
}
if input == "n" {
os.Exit(0)
}
}
continue
}
} else {
autodetected := Params.Domain != "" && len(Params.Nservers) == 0
scan(rns, Params.Threads, Params.Delay, true, autodetected)
}
}
}

69
common/io.go Normal file
View File

@ -0,0 +1,69 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
ColorWhite = "\033[97m"
)
func Usage() {
Banner()
fmt.Printf(`
usage:
%s!%s d | target fqdn (not recommended)
%s!%s n | nameserver to query (can be specified multiple times)
v | enable verbosity %s[false]%s
t | threads %s[5]%s
s | delay between requests in milliseconds, per thread %s[250]%s
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
`, ColorRed, ColorReset, ColorRed, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset)
}
func Banner() {
fmt.Fprintf(os.Stderr, `
_______
_/_ / ---' ____)____
_ __. / __/ __ , , , ___ ______)
/_)_(_/|_<__(_/_(_)(_(_/_/ <_ _______)
/ _______)
' ---.__________)
`)
}
func Success(msg string) {
fmt.Printf("%s[+]%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf("%s[i]%s %s\n", ColorCyan, ColorReset, msg)
}
func Warn(msg string) {
fmt.Printf("%s[!]%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf("%s[x]%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf("%s[f]%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

140
common/net.go Normal file
View File

@ -0,0 +1,140 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Query struct {
Nameserver string
Vendor string
DomainPair Pair
}
type Nameserver struct {
Nameserver string
NonRA bool
Recursive bool
}
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{
Name: dns.Fqdn(domain),
Qtype: reqtype,
Qclass: dns.ClassINET,
}
return msg
}
func ParseNS(nameservers []string) []Nameserver {
var valid []Nameserver
msg := message("cloudflare.com", dns.TypeA, false)
for _, ns := range nameservers {
nonra, ra := false, false
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error(fmt.Sprintf("nameserver %s%s%s is not responding to the trial query", ColorGray, ns[0:len(ns)-1], ColorReset))
continue
}
if in.Rcode == dns.RcodeRefused {
Warn(fmt.Sprintf("nameserver %s%s%s refused the trial non-recursive query", ColorGray, ns[0:len(ns)-1], ColorReset))
} else {
Success(fmt.Sprintf("nameserver %s%s%s allows non-recursive queries", ColorGray, ns[0:len(ns)-1], ColorReset))
nonra = true
}
if in.RecursionAvailable {
Success(fmt.Sprintf("nameserver %s%s%s allows recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
ra = true
} else {
Warn(fmt.Sprintf("nameserver %s%s%s does not allow recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
}
valid = append(valid, Nameserver{Nameserver: ns, NonRA: nonra, Recursive: ra})
}
return valid
}
func NeutralReq() bool {
msg := message("supernets.org", dns.TypeA, true)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) []string {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
nameservers := []string{}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
return nameservers
}
func RunQuery(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
msg := message(qdata.DomainPair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset))
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func RunQueryRA(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("recursively querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
for x := 0; x < 2; x++ {
msg := message(qdata.DomainPair.Domain, dns.TypeA, true)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error("hiccup on " + qdata.Nameserver[0:len(qdata.Nameserver)-1] + " while querying " + qdata.DomainPair.Domain)
time.Sleep(2 * time.Second)
continue
}
if len(in.Answer) > 0 {
if in.Answer[0].Header().Ttl <= qdata.DomainPair.TTL-4 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s with decremented TTL of %s%d%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset, ColorGreen, in.Answer[0].Header().Ttl, ColorReset))
}
}
break
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}

View File

@ -1,287 +1,483 @@
package common
var Domains = map[string]string{
// Microsoft Defender for Endpoint
//https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
"security.microsoft.com": "Microsoft Defender for Endpoint",
"download.microsoft.com": "Microsoft Defender for Endpoint",
"ussus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus3eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus4eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus3westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussus4westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"usseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"usseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"ussuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"wsuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
"settings-win.data.microsoft.com": "Microsoft Defender for Endpoint",
"vortex-win.data.microsoft.com": "Microsoft Defender for Endpoint",
"go.microsoft.com": "Microsoft Defender for Endpoint",
"ctldl.windowsupdate.com": "Microsoft Defender for Endpoint",
"windowsupdate.com": "Microsoft Defender for Endpoint",
import "fmt"
// VMWare Carbon Black
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
"carbonblack.com": "VMWare Carbon Black",
"carbonblack.io": "VMWare Carbon Black",
"defense-eap01.conferdeploy.net": "VMWare Carbon Black",
"dashboard.confer.net": "VMWare Carbon Black",
"defense.conferdeploy.net": "VMWare Carbon Black",
"defense-prod05.conferdeploy.net": "VMWare Carbon Black",
"defense-eu.conferdeploy.net": "VMWare Carbon Black",
"defense-prodnrt.conferdeploy.net": "VMWare Carbon Black",
"defense-prodsyd.conferdeploy.net": "VMWare Carbon Black",
"ew2.carbonblackcloud.vmware.com": "VMWare Carbon Black",
"gprd1usgw1.carbonblack-us-gov.vmware.com": "VMWare Carbon Black",
"updates.cdc.carbonblack.io": "VMWare Carbon Black",
"updates2.cdc.carbonblack.io": "VMWare Carbon Black",
"carbonblack.vmware.com": "VMWare Carbon Black",
"console.cloud-us-gov.vmware.com": "VMWare Carbon Black",
"console.cloud.vmware.com": "VMWare Carbon Black",
// CrowdStrike Falcon
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
"crowdstrike.com": "CrowdStrike Falcon",
"ts01-b.cloudsink.net": "CrowdStrike Falcon",
"lfodown01-b.cloudsink.net": "CrowdStrike Falcon",
"lfoup01-b.cloudsink.net": "CrowdStrike Falcon",
"falcon.crowdstrike.com": "CrowdStrike Falcon",
"assets.falcon.crowdstrike.com": "CrowdStrike Falcon",
"assets-public.falcon.crowdstrike.com": "CrowdStrike Falcon",
"api.crowdstrike.com": "CrowdStrike Falcon",
"firehose.crowdstrike.com": "CrowdStrike Falcon",
"ts01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
"lfodown01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
"lfoup01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
"falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
"assets.falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
"assets-public.us-2.falcon.crowdstrike.com": "CrowdStrike Falcon",
"api.us-2.crowdstrike.com": "CrowdStrike Falcon",
"firehose.us-2.crowdstrike.com": "CrowdStrike Falcon",
"ts01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"lfodown01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"falcon.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"api.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
"firehose.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
"ts01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
"lfodown01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
"api.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
"firehose.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
"ts01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
"lfodown01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
"lfoup01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
"assets.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
"assets-public.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
"api.eu-1.crowdstrike.com": "CrowdStrike Falcon",
"firehose.eu-1.crowdstrike.com": "CrowdStrike Falcon",
// Harmony / CheckPoint
// https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590
"checkpoint.com": "CheckPoint Harmony",
"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": "CheckPoint Harmony",
"europe-west1-datatube-240519.cloudfunctions.net": "CheckPoint Harmony",
"datatube-prod.azurewebsites.net": "CheckPoint Harmony",
"epmgmt.checkpoint.com": "CheckPoint Harmony",
"endpoint-cdn.epmgmt.checkpoint.com": "CheckPoint Harmony",
"ep-repo.epmgmt.checkpoint.com": "CheckPoint Harmony",
"epm-gw-eu.epmgmt.checkpoint.com": "CheckPoint Harmony",
"file-rep.iaas.checkpoint.com": "CheckPoint Harmony",
"url-rep.iaas.checkpoint.com": "CheckPoint Harmony",
"threatcloud.iaas.checkpoint.com": "CheckPoint Harmony",
"te.iaas.checkpoint.com": "CheckPoint Harmony",
"sba-data-collection.iaas.checkpoint.com": "CheckPoint Harmony",
"iaas.checkpoint.com": "CheckPoint Harmony",
"cws.checkpoint.com": "CheckPoint Harmony",
"rep.checkpoint.com": "CheckPoint Harmony",
"te.checkpoint.com": "CheckPoint Harmony",
"threat-emulation.checkpoint.com": "CheckPoint Harmony",
"kav8.checkpoint.com": "CheckPoint Harmony",
"secureupdates.checkpoint.com": "CheckPoint Harmony",
"sc1.checkpoint.com": "CheckPoint Harmony",
"updates.checkpoint.com": "CheckPoint Harmony",
"dl3.checkpoint.com": "CheckPoint Harmony",
"cloudinfra-gw.portal.checkpoint.com": "CheckPoint Harmony",
"gwevents.checkpoint.com": "CheckPoint Harmony",
"teadv.checkpoint.com": "CheckPoint Harmony",
"services.checkpoint.com": "CheckPoint Harmony",
// Cybereason
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
"cybereason.com": "Cybereason",
"probe-dist.cybereason.net": "Cybereason",
"data-epgw.cybereason.net": "Cybereason",
"probe-dist-eu-west-1.cybereason.net": "Cybereason",
"data-epgw-eu-west-1.cybereason.net": "Cybereason",
"probe-dist-asia-northeast-1.cybereason.net": "Cybereason",
"data-epgw-asia-northeast-1.cybereason.net": "Cybereason",
// FireEye / Trellix
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878
"api.manage.trellix.com": "Trellix",
"uam.api.trellix.com": "Trellix",
"cdn-usw001.manage.trellix.com": "Trellix",
"sw-usw001.manage.trellix.com": "Trellix",
"cdn-usw002.manage.trellix.com": "Trellix",
"sw-usw002.manage.trellix.com": "Trellix",
"cdn-usw003.manage.trellix.com": "Trellix",
"sw-usw003.manage.trellix.com": "Trellix",
"cdn-usw004.manage.trellix.com": "Trellix",
"sw-usw004.manage.trellix.com": "Trellix",
"cdn-sgp001.manage.trellix.com": "Trellix",
"sw-sgp001.manage.trellix.com": "Trellix",
"cdn-eu001.manage.trellix.com": "Trellix",
"sw-eu001.manage.trellix.com": "Trellix",
"cdn-au001.manage.trellix.com": "Trellix",
"sw-au001.manage.trellix.com": "Trellix",
"cdn-ind001.manage.trellix.com": "Trellix",
"sw-ind001.manage.trellix.com": "Trellix",
"cds-usw001.manage.trellix.com": "Trellix",
"cds-usw002.manage.trellix.com": "Trellix",
"cds-usw003.manage.trellix.com": "Trellix",
"cds-usw004.manage.trellix.com": "Trellix",
"dxl-usw001.manage.trellix.com": "Trellix",
"dxl-usw002.manage.trellix.com": "Trellix",
"dxl-usw003.manage.trellix.com": "Trellix",
"dxl-usw004.manage.trellix.com": "Trellix",
"dxlweb-usw001.manage.trellix.com": "Trellix",
"dxlweb-usw002.manage.trellix.com": "Trellix",
"dxlweb-usw003.manage.trellix.com": "Trellix",
"dxlweb-usw004.manage.trellix.com": "Trellix",
// Cortex XDR / Palo Alto Networks
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
"paloaltonetworks.com": "Palo Alto Networks",
"lrc-us.paloaltonetworks.com": "Palo Alto Networks",
"lrc-eu.paloaltonetworks.com": "Palo Alto Networks",
"lrc-ca.paloaltonetworks.com": "Palo Alto Networks",
"lrc-uk.paloaltonetworks.com": "Palo Alto Networks",
"lrc-jp.paloaltonetworks.com": "Palo Alto Networks",
"lrc-sg.paloaltonetworks.com": "Palo Alto Networks",
"lrc-au.paloaltonetworks.com": "Palo Alto Networks",
"lrc-de.paloaltonetworks.com": "Palo Alto Networks",
"lrc-in.paloaltonetworks.com": "Palo Alto Networks",
"lrc-ch.paloaltonetworks.com": "Palo Alto Networks",
"lrc-pl.paloaltonetworks.com": "Palo Alto Networks",
"lrc-tw.paloaltonetworks.com": "Palo Alto Networks",
"lrc-qt.paloaltonetworks.com": "Palo Alto Networks",
"lrc-fa.paloaltonetworks.com": "Palo Alto Networks",
"panw-xdr-evr-prod-us.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-eu.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-ca.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-uk.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-jp.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-sg.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-au.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-de.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-in.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-ch.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-pl.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-tw.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-qt.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-evr-prod-fa.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-installers-prod-us.storage.googleapis.com": "Palo Alto Networks",
"panw-xdr-payloads-prod-us.storage.googleapis.com": "Palo Alto Networks",
"global-content-profiles-policy.storage.googleapis.com": "Palo Alto Networks",
"login.paloaltonetworks.com": "Palo Alto Networks",
"pendo-static-5664029141630976.storage.googleapis.com": "Palo Alto Networks",
// Singularity / SentinelOne
"sentinelone.com": "SentinelOne",
"xdr.intus1.sentinelone.net": "SentinelOne",
"console.mobile.sentinelone.net": "SentinelOne",
"content.mobile.sentinelone.net": "SentinelOne",
"device-api.mobile.sentinelone.net": "SentinelOne",
"eu1-acceptor.mobile.sentinelone.net": "SentinelOne",
"eu1-console.mobile.sentinelone.net": "SentinelOne",
"eu1-content.mobile.sentinelone.net": "SentinelOne",
"eu1-device-api.mobile.sentinelone.net": "SentinelOne",
"eu1-oauth.mobile.sentinelone.net": "SentinelOne",
"eu1-panel.mobile.sentinelone.net": "SentinelOne",
"eu1-qi.mobile.sentinelone.net": "SentinelOne",
"eu1-token.mobile.sentinelone.net": "SentinelOne",
"eu1-vpc.mobile.sentinelone.net": "SentinelOne",
"ut.sentinelone.net": "SentinelOne",
"oauth.mobile.sentinelone.net": "SentinelOne",
"panel.mobile.sentinelone.net": "SentinelOne",
// Symantec / Broadcom
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html
"symantec.com": "Symantec",
"remotetunnel1.edrc.symantec.com": "Symantec",
"remotetunnel2.edrc.symantec.com": "Symantec",
"remotetunnel3.edrc.symantec.com": "Symantec",
"remotetunnel4.edrc.symantec.com": "Symantec",
"remotetunnel5.edrc.symantec.com": "Symantec",
"api-gateway.symantec.com": "Symantec",
"liveupdate.symantec.com": "Symantec",
"ratings-wrs.symantec.com": "Symantec",
"stnd-avpg.crsi.symantec.com": "Symantec",
"stnd-ipsg.crsi.symantec.com": "Symantec",
"central.b6.crsi.symantec.com": "Symantec",
"bash-avpg.crsi.symantec.com": "Symantec",
"swupdate.brightmail.com": "Symantec",
"shasta-rrs.symantec.com": "Symantec",
"shasta-mrs.symantec.com": "Symantec",
"datafeedapi.symanteccloud.com": "Symantec",
"telemetry.broadcom.com": "Symantec",
"sso1.edrc.symantec.com": "Symantec",
// Tanium
"tanium.com": "Tanium",
"shared.prd-int-manage.mdm.cloud.tanium.com": "Tanium",
"shared.prd-int.mdm.cloud.tanium.com": "Tanium",
"shared.prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
"shared.prd-us-1.mdm.cloud.tanium.com": "Tanium",
"prd-int-manage.mdm.cloud.tanium.com": "Tanium",
"prd-int.mdm.cloud.tanium.com": "Tanium",
"prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
"prd-us-1.mdm.cloud.tanium.com": "Tanium",
"prd.mdm.cloud.tanium.com": "Tanium",
"jp.tanium.com": "Tanium",
"docs-es.tanium.com": "Tanium",
"docs-fr.tanium.com": "Tanium",
"docs-ko.tanium.com": "Tanium",
// Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
"update-102.nextron-systems.com": "Nextron Aurora",
"update-201.nextron-systems.com": "Nextron Aurora",
"update-202.nextron-systems.com": "Nextron Aurora",
"update-aurora.nextron-systems.com": "Nextron Aurora",
"update-lite.nextron-systems.com": "Nextron Aurora",
// Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
"api.eu.nacloud.trendmicro.com": "Trend Micro",
"api.jp.nacloud.trendmicro.com": "Trend Micro",
"api.sg.nacloud.trendmicro.com": "Trend Micro",
"api.us.nacloud.trendmicro.com": "Trend Micro",
"docs.trendmicro.com": "Trend Micro",
"licenseupdate.trendmicro.com": "Trend Micro",
"api.nacloud.trendmicro.com": "Trend Micro",
"trendmicro.com": "Trend Micro",
"files.trendmicro.com": "Trend Micro",
"xdr.trendmicro.com": "Trend Micro",
"xdr.trendmicro.co.jp": "Trend Micro",
"trenddefense.com": "Trend Micro",
"ddd53-p.activeupdate.trendmicro.com": "Trend Micro",
"ddd53-threatconnect.trendmicro.com": "Trend Micro",
"threatconnect.trendmicro.com": "Trend Micro",
"cloudone.trendmicro.com": "Trend Micro",
type Pair struct {
Domain string
TTL uint32
}
var Vendors = map[string][]Pair{
fmt.Sprintf("%sMicrosoft Defender for Endpoint%s", ColorCyan, ColorReset): domains_microsoft,
fmt.Sprintf("%sVMWare%s Carbon Black%s", ColorCyan, ColorGray, ColorReset): domains_carbonblack,
fmt.Sprintf("%sCrowdStrike Falcon%s", ColorRed, ColorReset): domains_crowdstrike,
fmt.Sprintf("%sCheck Point Harmony%s", ColorPurple, ColorReset): domains_checkpoint,
fmt.Sprintf("%sCybereason%s", ColorYellow, ColorReset): domains_cybereason,
fmt.Sprintf("%sTrellix%s", ColorCyan, ColorReset): domains_trellix,
fmt.Sprintf("%sCortex XDR%s", ColorOrange, ColorReset): domains_paloalto,
fmt.Sprintf("%sSentinelOne Singularity%s", ColorPurple, ColorReset): domains_sentinelone,
fmt.Sprintf("%sSymantec Endpoint Security%s", ColorYellow, ColorReset): domains_symantec,
fmt.Sprintf("%sTanium%s", ColorRed, ColorReset): domains_tanium,
fmt.Sprintf("%sNextron%s Aurora%s", ColorCyan, ColorGreen, ColorReset): domains_aurora,
fmt.Sprintf("%sTrend Micro Endpoint Sensor%s", ColorRed, ColorReset): domains_trendmicro,
fmt.Sprintf("%sRapid7%s InsightIDR", ColorOrange, ColorReset): domains_rapid7,
}
// Microsoft Defender for Endpoint
// https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
var domains_microsoft = []Pair{
{"download.microsoft.com", 3600}, // not certain
{"go.microsoft.com", 3600}, // not certain
{"security.microsoft.com", 3600},
{"settings-win.data.microsoft.com", 3600}, // not certain
{"windowsupdate.com", 300},
{"ctldl.windowsupdate.com", 3600}, // not certain
{"wdcp.microsoft.com", 3600},
{"wd.microsoft.com", 300},
{"wdcpalt.microsoft.com", 3600},
{"checkappexec.microsoft.com", 3600}, // not certain
{"smartscreen-prod.microsoft.com", 3600},
{"vortex-win.data.microsoft.com", 120},
{"update.microsoft.com", 3600}, // not certain
{"download.windowsupdate.com", 3600}, // not certain
{"definitionupdates.microsoft.com", 3600},
// {"delivery.mp.microsoft.com", 0},
// {"fe3cr.delivery.mp.microsoft.com", 0},
{"ussus2westprod.blob.core.windows.net", 60},
{"ussus1westprod.blob.core.windows.net", 60},
{"wsus2westprod.blob.core.windows.net", 60},
{"wseu1northprod.blob.core.windows.net", 60},
{"wsus2eastprod.blob.core.windows.net", 60},
{"ussus3westprod.blob.core.windows.net", 60},
{"wsus1eastprod.blob.core.windows.net", 60},
{"wsuk1westprod.blob.core.windows.net", 60},
{"ussus2eastprod.blob.core.windows.net", 60},
{"usseu1northprod.blob.core.windows.net", 60},
{"wsus1westprod.blob.core.windows.net", 60},
{"usseu1westprod.blob.core.windows.net", 60},
{"ussus1eastprod.blob.core.windows.net", 60},
{"ussuk1westprod.blob.core.windows.net", 60},
{"ussus4eastprod.blob.core.windows.net", 60},
{"wseu1westprod.blob.core.windows.net", 60},
{"ussuk1southprod.blob.core.windows.net", 60},
{"ussus3eastprod.blob.core.windows.net", 60},
{"ussus4westprod.blob.core.windows.net", 60},
{"wsuk1southprod.blob.core.windows.net", 60},
}
// VMWare Carbon Black
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
// https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/cb-edr-scm-guide/GUID-3117FB54-5D0F-46C1-8372-BF3784D27CFF.html
// restricted: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295
var domains_carbonblack = []Pair{
{"defense-prod05.conferdeploy.net", 60},
{"console.cloud.vmware.com", 60},
{"updates2.cdc.carbonblack.io", 300},
{"dashboard.confer.net", 300},
{"console.cloud-us-gov.vmware.com", 300},
{"ew2.carbonblackcloud.vmware.com", 30},
{"defense.conferdeploy.net", 60},
{"carbonblack.io", 60},
{"carbonblack.vmware.com", 86400},
{"defense-prodnrt.conferdeploy.net", 60},
{"updates.cdc.carbonblack.io", 60},
{"gprd1usgw1.carbonblack-us-gov.vmware.com", 3600},
{"defense-prodsyd.conferdeploy.net", 60},
{"carbonblack.com", 300},
{"defense-eap01.conferdeploy.net", 60},
{"defense-eu.conferdeploy.net", 60},
{"api.alliance.carbonblack.com", 600},
{"api2.alliance.carbonblack.com", 600},
{"threatintel.bit9.com", 3600},
{"yum.distro.carbonblack.io", 300},
}
// CrowdStrike Falcon
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
var domains_crowdstrike = []Pair{
{"falcon.us-2.crowdstrike.com", 120},
{"falcon.crowdstrike.com", 60},
{"ts01-gyr-maverick.cloudsink.net", 60},
// {"us-gov-2.crowdstrike.com", 0},
{"api.crowdstrike.com", 300},
{"ts01-b.cloudsink.net", 1800},
// {"firehose.us-gov-2.crowdstrike.com", 0},
{"assets.falcon.eu-1.crowdstrike.com", 120},
{"api.eu-1.crowdstrike.com", 60},
{"lfodown01-b.cloudsink.net", 1800},
{"assets-public.falcon.crowdstrike.com", 60},
{"assets.falcon.us-2.crowdstrike.com", 120},
{"api.us-2.crowdstrike.com", 120},
{"assets-public.us-2.falcon.crowdstrike.com", 120},
{"firehose.laggar.gcw.crowdstrike.com", 60},
{"ts01-lanner-lion.cloudsink.net", 60},
{"lfoup01-lanner-lion.cloudsink.net", 1800},
{"assets-public.falcon.eu-1.crowdstrike.com", 120},
{"crowdstrike.com", 300},
{"lfoup01-gyr-maverick.cloudsink.net", 1800},
{"lfoup01-b.cloudsink.net", 1800},
{"ts01-laggar-gcw.cloudsink.net", 60},
{"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com", 60},
{"ts01-us-gov-2.cloudsink.net", 1800},
{"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com", 60},
{"assets.falcon.crowdstrike.com", 60},
{"lfodown01-lanner-lion.cloudsink.net", 60},
{"falcon.laggar.gcw.crowdstrike.com", 60},
{"firehose.us-2.crowdstrike.com", 120},
{"firehose.eu-1.crowdstrike.com", 120},
{"lfodown01-laggar-gcw.cloudsink.net", 60},
{"api.laggar.gcw.crowdstrike.com", 60},
{"lfodown01-gyr-maverick.cloudsink.net", 60},
{"lfodown01-us-gov-2.cloudsink.net", 1800},
{"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com", 60},
{"firehose.crowdstrike.com", 300},
{"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com", 60},
}
// Harmony / CheckPoint
// https://support.checkpoint.com/results/sk/sk116590
var domains_checkpoint = []Pair{
{"rep.checkpoint.com", 1800},
{"threat-emulation.checkpoint.com", 1800},
{"sc1.checkpoint.com", 1800},
{"gwevents.checkpoint.com", 300},
{"gwevents.us.checkpoint.com", 180},
{"endpoint-cdn.epmgmt.checkpoint.com", 300},
// {"checkpoint.com", 25}, <- dynamic ttl
{"kav8.checkpoint.com", 1800},
{"cloudinfra-gw.portal.checkpoint.com", 60},
{"datatube-prod.azurewebsites.net", 30},
{"updates.checkpoint.com", 1800},
{"ep-repo.epmgmt.checkpoint.com", 300},
{"file-rep.iaas.checkpoint.com", 60},
{"threatcloud.iaas.checkpoint.com", 60},
{"dl3.checkpoint.com", 1800},
{"secureupdates.checkpoint.com", 1800},
{"epm-gw-eu.epmgmt.checkpoint.com", 86400},
{"url-rep.iaas.checkpoint.com", 60},
{"te.iaas.checkpoint.com", 60},
{"services.checkpoint.com", 1800},
{"europe-west1-datatube-240519.cloudfunctions.net", 300},
{"cws.checkpoint.com", 1800},
{"teadv.checkpoint.com", 1800},
{"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net", 300},
{"te.checkpoint.com", 1800},
{"hap2.epmgmt.checkpoint.com", 300},
{"hap21.epmgmt.checkpoint.com", 300},
{"hap5.epmgmt.checkpoint.com", 300},
{"hap51.epmgmt.checkpoint.com", 300},
{"hap1.epmgmt.checkpoint.com", 300},
{"hap11.epmgmt.checkpoint.com", 300},
{"hap3.epmgmt.checkpoint.com", 300},
{"hap31.epmgmt.checkpoint.com", 300},
{"hap4.epmgmt.checkpoint.com", 300},
{"hap41.epmgmt.checkpoint.com", 300},
{"ftp-proxy.checkpoint.com", 1800},
{"web-rep.checkpoint.com", 1800},
}
// Cybereason
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
var domains_cybereason = []Pair{
{"data-epgw-eu-west-1.cybereason.net", 300},
{"probe-dist-asia-northeast-1.cybereason.net", 60},
{"data-epgw-asia-northeast-1.cybereason.net", 300},
{"probe-dist.cybereason.net", 300},
{"probe-dist-eu-west-1.cybereason.net", 300},
{"probe-dist-dns.cybereason.net", 3600},
{"data-epgw.cybereason.net", 300},
{"cybereason.com", 600},
}
// FireEye / Trellix
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878
var domains_trellix = []Pair{
{"epo.trellix.com", 300},
{"s-download.trellix.com", 300},
{"lc.trellix.com", 300},
{"manage.trellix.com", 60},
{"cds-usw001.manage.trellix.com", 60},
{"cdn-usw002.manage.trellix.com", 60},
{"cdn-usw001.manage.trellix.com", 60},
{"cdn-usw003.manage.trellix.com", 60},
{"auth.ui.trellix.com", 60},
{"uam.api.trellix.com", 60},
{"api.manage.trellix.com", 60},
{"cds-usw002.manage.trellix.com", 60},
{"trellix.com", 60},
{"dxlweb-usw001.manage.trellix.com", 60},
{"cds-usw003.manage.trellix.com", 60},
{"cdn-sgp001.manage.trellix.com", 60},
{"dxlweb-usw002.manage.trellix.com", 60},
{"cdn-ind001.manage.trellix.com", 60},
{"dxl-usw002.manage.trellix.com", 60},
{"dxl-usw001.manage.trellix.com", 60},
{"dxlweb-usw003.manage.trellix.com", 60},
{"cds-usw004.manage.trellix.com", 60},
{"cdn-au001.manage.trellix.com", 60},
{"dxlweb-usw004.manage.trellix.com", 60},
{"cdn-usw004.manage.trellix.com", 60},
{"dxl-usw004.manage.trellix.com", 60},
{"dxl-usw003.manage.trellix.com", 60},
{"cdn-eu001.manage.trellix.com", 60},
{"iam.cloud.trellix.com", 10},
{"iam-rs.cloud.trellix.com", 10},
{"gsd.cloud.trellix.com", 10},
{"d2c-us-west-2.manage.trellix.com", 60},
{"d2c-eu-central-1.manage.trellix.com", 60},
{"dxlweb-sgp001.manage.trellix.com", 60},
{"dxl-sgp001.manage.trellix.com", 60},
{"dxl-eu001.manage.trellix.com", 60},
{"dxlweb-eu001.manage.trellix.com", 60},
{"dxl-au001.manage.trellix.com", 60},
{"dxlweb-au001.manage.trellix.com", 60},
{"dxl-ind001.manage.trellix.com", 60},
{"dxlweb-ind001.manage.trellix.com", 60},
{"ui-usw001.manage.trellix.com", 60},
{"ui-usw002.manage.trellix.com", 60},
{"ui-usw003.manage.trellix.com", 60},
{"ui-usw004.manage.trellix.com", 60},
{"ui-sgp001.manage.trellix.com", 60},
{"ui-eu001.manage.trellix.com", 60},
{"ui-au001.manage.trellix.com", 60},
{"ui-ind001.manage.trellix.com", 60},
{"ah-usw001.manage.trellix.com", 60},
{"ah-usw002.manage.trellix.com", 60},
{"ah-usw003.manage.trellix.com", 60},
{"ah-usw004.manage.trellix.com", 60},
{"ah-sgp001.manage.trellix.com", 60},
{"ah-eu001.manage.trellix.com", 60},
{"ah-au001.manage.trellix.com", 60},
{"ah-ind001.manage.trellix.com", 60},
}
// Cortex XDR / Palo Alto Networks
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
var domains_paloalto = []Pair{
{"panw-xdr-evr-prod-au.storage.googleapis.com", 300},
{"lrc-eu.paloaltonetworks.com", 14400},
{"global-content-profiles-policy.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-uk.storage.googleapis.com", 300},
{"lrc-ch.paloaltonetworks.com", 14400},
{"lrc-jp.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-qt.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-pl.storage.googleapis.com", 300},
{"pendo-static-5664029141630976.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-sg.storage.googleapis.com", 300},
{"lrc-uk.paloaltonetworks.com", 14400},
{"lrc-us.paloaltonetworks.com", 14400},
{"lrc-tw.paloaltonetworks.com", 1800},
{"panw-xdr-evr-prod-eu.storage.googleapis.com", 300},
{"lrc-ca.paloaltonetworks.com", 14400},
{"paloaltonetworks.com", 30},
// {"lrc-fa.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-in.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-fa.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-ca.storage.googleapis.com", 300},
{"lrc-pl.paloaltonetworks.com", 14400},
{"lrc-qt.paloaltonetworks.com", 300},
{"panw-xdr-evr-prod-us.storage.googleapis.com", 300},
{"lrc-de.paloaltonetworks.com", 300},
{"panw-xdr-installers-prod-us.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-ch.storage.googleapis.com", 300},
{"lrc-in.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-de.storage.googleapis.com", 300},
{"lrc-au.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-tw.storage.googleapis.com", 300},
{"login.paloaltonetworks.com", 14400},
{"lrc-sg.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-jp.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-us.storage.googleapis.com", 300},
{"distributions.traps.paloaltonetworks.com", 300},
{"distributions-prod-fed.traps.paloaltonetworks.com", 300},
{"cortex-gateway.paloaltonetworks.com", 30},
{"gw-app-proxy.us.paloaltonetworks.com", 300},
{"xdr-ova-installers-prod-us.storage.googleapis.com", 300},
{"identity.paloaltonetworks.com", 300},
{"identity.gslb.paloaltonetworks.com", 5},
{"identity.gcp.gslb.paloaltonetworks.com", 5},
{"lrc-fed.paloaltonetworks.com", 14400},
{"panw-xdr-installers-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-fr.storage.googleapis.com", 300},
{"global-content-profiles-policy-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-fr.storage.googleapis.com", 300},
{"app-proxy.federal.paloaltonetworks.com", 300},
}
// Singularity / SentinelOne
var domains_sentinelone = []Pair{
{"eu1-oauth.mobile.sentinelone.net", 300},
{"eu1-qi.mobile.sentinelone.net", 300},
{"console.mobile.sentinelone.net", 300},
{"sentinelone.com", 300},
{"eu1-console.mobile.sentinelone.net", 300},
{"eu1-content.mobile.sentinelone.net", 300},
{"panel.mobile.sentinelone.net", 300},
{"oauth.mobile.sentinelone.net", 300},
{"xdr.intus1.sentinelone.net", 60},
{"eu1-device-api.mobile.sentinelone.net", 300},
{"eu1-vpc.mobile.sentinelone.net", 300},
{"eu1-acceptor.mobile.sentinelone.net", 300},
{"login.sentinelone.net", 300},
{"device-api.mobile.sentinelone.net", 300},
{"eu1-panel.mobile.sentinelone.net", 300},
{"eu1-token.mobile.sentinelone.net", 300},
{"content.mobile.sentinelone.net", 300},
{"ut.sentinelone.net", 300},
}
// Symantec / Broadcom
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/urls-to-whitelist-for-v129099891-d4155e9710.html
var domains_symantec = []Pair{
{"liveupdate.symantec.com", 3600},
{"liveupdate.symantecliveupdate.com", 600},
{"shasta-rrs.symantec.com", 1800},
{"ent-shasta-rrs.symantec.com", 1800},
{"ent-shasta-mr-clean.symantec.com", 1800},
{"symantec.com", 600},
{"sp.cwfservice.net", 600},
{"us.spoc.securitycloud.symantec.com", 600},
{"eu.spoc.securitycloud.symantec.com", 600},
{"in.spoc.securitycloud.symantec.com", 3600},
{"telemetry.broadcom.com", 3600},
{"tses.broadcom.com", 30},
{"central.b6.crsi.symantec.com", 1800},
{"central.ss.crsi.symantec.com", 1800},
{"central.nrsi.symantec.com", 1800},
{"central.avsi.symantec.com", 1800},
{"central.crsi.symantec.com", 1800},
{"shasta-mrs.symantec.com", 1800},
{"shasta-clt.symantec.com", 1800},
{"stnd-avpg.crsi.symantec.com", 1800},
{"avs-avpg.crsi.symantec.com", 1800},
{"stnd-ipsg.crsi.symantec.com ", 1800},
{"bash-avpg.crsi.symantec.com", 1800},
{"tus1gwynwapex01.symantec.com", 3600},
{"pod.threatpulse.com", 120},
{"faults.qalabs.symantec.com", 1800},
{"faults.symantec.com", 1800},
{"linux-repo-us.securityalliance.cloud", 86400},
{"usea1.r3.securitycloud.symantec.com", 3600},
{"euws1.r3.securitycloud.symantec.com", 3600},
{"inso1.r3.securitycloud.symantec.com", 3600},
{"datafeedapi.symanteccloud.com", 300},
{"us.spoc.securitycloud.symantec.com", 600},
{"eu.spoc.securitycloud.symantec.com ", 600},
{"in.spoc.securitycloud.symantec.com", 3600},
{"uploads.sep.securitycloud.symantec.com", 3600},
{"uploads.sep.eu.securitycloud.symantec.com ", 3600},
{"uploads.sep.in.securitycloud.symantec.com", 3600},
{"ws.securitycloud.symantec.com", 600},
{"bds.securitycloud.symantec.com", 600},
{"ws.eu.securitycloud.symantec.com", 3600},
{"bds.eu.securitycloud.symantec.com", 3600},
{"ws.in.securitycloud.symantec.com ", 3600},
{"bds.in.securitycloud.symantec.com", 3600},
{"cdn.sepmobile.securitycloud.symantec.com", 300},
{"mitm.sepmobile.securitycloud.symantec.com", 300},
{"services-prod.symantec.com", 600},
{"sep.securitycloud.symantec.com", 3600},
{"sep.eu.securitycloud.symantec.com", 3600},
{"sep.in.securitycloud.symantec.com", 3600},
{"avagoext.okta.com", 300},
{"accounts.saas.broadcomcloud.com", 3600},
{"api.sep.securitycloud.symantec.com", 86400},
{"api.sep.eu.securitycloud.symantec.com", 3600},
{"api.sep.in.securitycloud.symantec.com", 3600},
{"knowledge.broadcom.com", 3600},
{"support.broadcom.com", 300},
{"casupport.broadcom.com", 300},
{"login.broadcom.com", 3600},
{"ced.broadcom.com", 3600},
{"ratings-wrs.symantec.com", 3600},
{"api-gateway.symantec.com", 3600},
{"swupdate.brightmail.com", 3600},
{"licensing.dmas.symantec.com", 3600},
{"api.us.dmas.symantec.com", 300},
{"api.eu.dmas.symantec.com", 300},
}
// Tanium
var domains_tanium = []Pair{
{"content.tanium.com", 300},
{"docs-es.tanium.com", 300},
{"docs-fr.tanium.com", 300},
{"tanium.com", 300},
{"go2.tanium.com", 300},
{"learn.tanium.com", 300},
{"som.cloud.tanium.com", 60},
{"download.tanium.com", 300},
{"fnf-api.cloud.tanium.com", 60},
{"community.tanium.com", 300},
{"3.distribute.cloud.tanium.com", 300},
{"content.tanium.com", 300},
{"help.tanium.com", 300},
{"docs.tanium.com", 300},
{"moveit.tanium.com", 300},
{"kb.tanium.com", 300},
}
// Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
var domains_aurora = []Pair{
{"update-aurora.nextron-systems.com", 60},
{"update-102.nextron-systems.com", 60},
{"update-202.nextron-systems.com", 60},
{"update-201.nextron-systems.com", 60},
{"update-lite.nextron-systems.com", 60},
}
// Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
var domains_trendmicro = []Pair{
{"xdr.trendmicro.co.jp", 60},
{"files.trendmicro.com", 1800},
{"api.nacloud.trendmicro.com", 60},
{"cloudone.trendmicro.com", 60},
{"ddd53-p.activeupdate.trendmicro.com", 1800},
{"trenddefense.com", 300},
{"threatconnect.trendmicro.com", 1800},
{"api.sg.nacloud.trendmicro.com", 60},
{"trendmicro.com", 1800},
{"api.jp.nacloud.trendmicro.com", 60},
{"api.eu.nacloud.trendmicro.com", 60},
{"docs.trendmicro.com", 1800},
{"api.us.nacloud.trendmicro.com", 60},
{"ddd53-threatconnect.trendmicro.com", 1800},
{"licenseupdate.trendmicro.com", 1800},
{"xdr.trendmicro.com", 60},
}
// Rapid7 InsightIDR
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
var domains_rapid7 = []Pair{
{"data.insight.rapid7.com", 60},
{"us2.data.insight.rapid7.com", 30},
{"us3.data.insight.rapid7.com", 30},
{"eu.data.insight.rapid7.com", 30},
{"ca.data.insight.rapid7.com", 30},
{"au.data.insight.rapid7.com", 30},
{"ap.data.insight.rapid7.com", 30},
{"endpoint.ingress.rapid7.com", 300},
{"us2.endpoint.ingress.rapid7.com", 300},
{"us3.endpoint.ingress.rapid7.com", 300},
{"eu.endpoint.ingress.rapid7.com", 300},
{"ca.endpoint.ingress.rapid7.com", 300},
{"au.endpoint.ingress.rapid7.com", 300},
{"ap.endpoint.ingress.rapid7.com", 300},
{"us.storage.endpoint.ingress.rapid7.com", 86400},
{"us.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us2.storage.endpoint.ingress.rapid7.com", 86400},
{"us2.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us3.storage.endpoint.ingress.rapid7.com", 86400},
{"us3.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"eu.storage.endpoint.ingress.rapid7.com", 86400}, // not certain
{"eu.bootstrap.endpoint.ingress.rapid7.com", 86400}, // not certain
{"ca.storage.endpoint.ingress.rapid7.com", 86400},
{"ca.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"au.storage.endpoint.ingress.rapid7.com", 86400},
{"au.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"ap.storage.endpoint.ingress.rapid7.com", 86400},
{"ap.bootstrap.endpoint.ingress.rapid7.com", 86400},
}

14
go.mod
View File

@ -1,11 +1,13 @@
module patdown
go 1.21.0
go 1.22.6
require github.com/miekg/dns v1.1.62
require (
github.com/miekg/dns v1.1.57 // indirect
golang.org/x/mod v0.12.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/tools v0.13.0 // indirect
golang.org/x/mod v0.18.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.22.0 // indirect
golang.org/x/tools v0.22.0 // indirect
)

22
go.sum
View File

@ -1,10 +1,12 @@
github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=