Compare commits

..

6 Commits
v1.1 ... main

11 changed files with 901 additions and 662 deletions

View File

@ -1,42 +1,63 @@
# patdown
> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
> Remotely predicts and identifies the presence of EDR/XDR solutions on networks
<p align="center">
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
</p>
## Abstract
Patdown probes a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` in its cache, chances are the '*CrowdStrike Falcon*' EDR solution is present somewhere on the network.
This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-t` flag.
Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
⚠️ Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting for EDR/XDR.
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
## Installation
Retrieve a binary corresponding to your architecture from **Releases**
*or*
`git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown`
`git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
## Usage
**Help**
```
d | target fqdn (not as reliable, prone to false positives)
n | nameserver to query (can be specified multiple times)
v | enable verbosity [false]
t | threads [5]
s | delay between requests in milliseconds, per thread [250]
`patdown -h`
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
```
**Target specific resolvers**
`patdown -n ns1.target.resolver -n ns2.another.target.resolver`
**Automatically snoop authoritative nameservers**
`patdown -t supernets.org`
- - - -
this is for christian purposes
## Currently Identified Vendors/Solutions:
- [x] **CrowdStrike** Falcon
- [x] **Microsoft** Defender for Endpoint
- [x] **VMWare** Carbon Black
- [x] **Check Point** Harmony
- [x] **Cybereason** EDR
- [x] **Trellix** EDR
- [x] **Palo Alto Networks** Cortex XDR
- [x] **SentinelOne** Singularity
- [x] **Symantec** Endpoint Security
- [x] **Tanium** EDR
- [x] **Nextron** Aurora
- [x] **Trend Micro** Endpoint Sensor
- [x] **Rapid7** InsightIDR
- [ ] **ESET** Inspect
- [ ] **Harfanglab** EDR
- [ ] **Limacharlie** EDR
- [ ] **Elastic** Security
- [ ] **Qualys** EDR
- [ ] **Uptycs** XDR
- [ ] **WatchGuard** EDR

View File

@ -1,60 +1,36 @@
package main
import (
"flag"
"fmt"
"patdown/common"
)
type multiflag []string
func (m *multiflag) String() string {
return "irc.supernets.org #superbowl"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
var (
domain = flag.String("t", "", "")
workers = flag.Int("c", 100, "")
delay = flag.Int("s", 50, "")
nsarg multiflag
)
func main() {
flag.Var(&nsarg, "n", "")
flag.Usage = common.Usage
flag.Parse()
common.LoadArgs()
var servers []string
common.Banner()
if *domain != "" {
common.Info("aggregating nameservers...")
common.PullNS(*domain)
} else if len(nsarg) > 0 {
for _, ns := range nsarg {
common.Nameservers = append(common.Nameservers, ns)
autodetect := common.Params.Domain != ""
if autodetect {
if servers = common.PullNS(common.Params.Domain); len(servers) == 0 {
common.Fatal("no nameservers found for " + common.Params.Domain)
}
common.Info(fmt.Sprintf("retrieved %s%d%s nameservers for %s", common.ColorGreen, len(servers), common.ColorReset, common.Params.Domain))
} else if len(common.Params.Nservers) > 0 {
servers = common.Params.Nservers
} else {
common.Usage()
return
common.Fatal("provide a domain or nameservers to target")
}
common.Verify()
common.Run(false, *workers, *delay)
if !common.Found {
if len(common.Recursive) > 0 {
common.Warning("no associated domains found, attempting recursive snooping...")
common.Run(true, *workers, *delay)
}
if !common.NeutralReq() {
common.Fatal("neutral dns check failed, are you on a dirty box or vpn?")
}
if !common.Found {
common.Error("no associated domains retrieved")
valid := common.ParseNS(servers)
if len(valid) == 0 {
common.Fatal("no servers responded to trial probes, they're either down or they don't like your IP")
}
common.Takeoff(valid)
}

39
common/args.go Normal file
View File

@ -0,0 +1,39 @@
package common
import "flag"
type multiflag []string
type Config struct {
Domain string
Threads int
Delay int
Nservers []string
Verbose bool
}
var (
domain = flag.String("d", "", "")
workers = flag.Int("t", 5, "")
delay = flag.Int("s", 250, "")
verbose = flag.Bool("v", false, "")
nsarg multiflag
Params Config
)
func (m *multiflag) String() string {
return "front page maximum wage"
}
func (m *multiflag) Set(value string) error {
*m = append(*m, value)
return nil
}
func LoadArgs() {
flag.Var(&nsarg, "n", "")
flag.Usage = Usage
flag.Parse()
Params = Config{Domain: *domain, Threads: *workers, Delay: *delay, Nservers: nsarg, Verbose: *verbose}
}

View File

@ -1,88 +0,0 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
)
func Banner() {
fmt.Printf(`%s
.------..------..------..------..------..------..------.
|%s%sP%s%s.--. ||%s%sA%s%s.--. ||%s%sT%s%s.--. ||%s%sD%s%s.--. ||%s%sO%s%s.--. ||%s%sW%s%s.--. ||%s%sN%s%s.--. |
| :/\: || (\/) || :/\: || :/\: || :/\: || :/\: || :(): |
| (__) || :\/: || (__) || (__) || :\/: || :\/: || ()() |
| '--'P|| '--'A|| '--'T|| '--'D|| '--'O|| '--'W|| '--'N|
'------''------''------''------''------''------''------'
%s%s sincerely,
~ delorean%s
`, ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset)
}
func Usage() {
fmt.Fprintf(os.Stderr, `patdown usage:
(%s-t%s) - target domain
(%s-n%s) - specific nameserver to snoop, can be multiple
(%s-c%s) - concurrent threads [%s100%s]
(%s-s%s) - delay between queries, per thread, in milliseconds [%s100%s]
%se.g.%s
patdown -t supernets.org
patdown -n ns1.supernets.org -n ns2.supernets.org
patdown -t supernets.org -c 50 -s 500
`, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset)
}
var Vendors = map[string]string{
"Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m",
"VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m",
"CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m",
"CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m",
"Cybereason": "\033[93mCybereason\033[0m",
"Trellix": "\033[32mTrellix\033[0m",
"Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m",
"SentinelOne": "\033[35mSentinelOne\033[0m",
"Symantec": "\033[93mSymantec\033[0m",
"Tanium": "\033[31mTanium\033[0m",
"Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m",
"Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m",
"Rapid7 InsightIDR": "\033[97mRapid\033[0m\033[91m7\033[0m \033[97mInsightIDR\033[0m",
}
func Success(msg string) {
fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg)
}
func Warning(msg string) {
fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

View File

@ -1,174 +0,0 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Pair struct {
Nameserver string
Domain string
}
var (
Nameservers, Valid, Recursive []string
Found bool
)
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
return msg
}
func ParseNS(nservers []string) ([]string, []string) {
var valid, recursive []string
msg := message("supernets.org", dns.TypeA, false)
for _, ns := range nservers {
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error("nameserver " + ns + " is not responding")
continue
}
if in.Rcode == dns.RcodeRefused {
Warning("nameserver " + ns + " refused the test query, non-recursive snooping may not be viable")
}
if in.RecursionAvailable {
Success("nameserver " + ns + " is recursive")
recursive = append(recursive, ns)
}
valid = append(valid, ns)
}
return valid, recursive
}
func TestReq() bool {
msg := message("cloudflare.com", dns.TypeA, false)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
Nameservers = append(Nameservers, ns.Ns)
}
}
}
func Verify() {
if !TestReq() {
Error("neutral non-recursive query was refused, are you on a vpn or dirty box?")
}
Success("neutral non-recursive test query succeeded")
Valid, Recursive = ParseNS(Nameservers)
Info(fmt.Sprintf("%d/%d nameservers are recursive", len(Recursive), len(Valid)))
if len(Valid) == 0 {
Fatal("no valid nameservers available")
}
}
func Query(q <-chan Pair, tracker chan<- interface{}, delay int) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Found = true
fmt.Printf("[%s] associated domain %s found on %s\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver)
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func QueryRA(q <-chan Pair, tracker chan<- interface{}, delay int) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, true)
for x := 0; x < 3; x++ {
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
Error("hiccup on " + pair.Nameserver + " retrying...")
time.Sleep(1 * time.Second)
continue
}
if len(in.Answer) > 0 {
Found = true
if in.Answer[0].Header().Ttl != Domains[pair.Domain].TTL {
fmt.Printf("[%s] associated domain %s found on %s with mismatched TTL of %d\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver, in.Answer[0].Header().Ttl)
}
break
}
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func Run(ra bool, threads, delay int) {
pairs := make(chan Pair)
tracker := make(chan interface{})
if !ra {
// non-recursive snoop
Info(fmt.Sprintf("non-recursive snooping on %d resolvers...\n", len(Valid)))
go func() {
for i := 0; i < threads; i++ {
Query(pairs, tracker, delay)
}
}()
for _, ns := range Valid {
for k, _ := range Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
} else {
Info(fmt.Sprintf("recursively snooping on %d resolvers...\n", len(Recursive)))
go func() {
for i := 0; i < threads; i++ {
QueryRA(pairs, tracker, delay)
}
}()
for _, ns := range Recursive {
for k, _ := range Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
}
for x := 0; x < threads; x++ {
<-tracker
}
}

96
common/exec.go Normal file
View File

@ -0,0 +1,96 @@
package common
import (
"fmt"
"os"
)
func scan(nameservers []Nameserver, threads, delay int, recursive, single bool) {
queries := make(chan Query)
tab := make(chan interface{})
if !recursive {
Info(fmt.Sprintf("performing non-recursive lookups against %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQuery(queries, tab, delay)
}
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
Warn("recursive snooping can only be done once, as it populates the nameserver's cache")
Info(fmt.Sprintf("recursively snooping on %d resolvers...", len(nameservers)))
for i := 0; i < threads; i++ {
go RunQueryRA(queries, tab, delay)
}
if !single {
for _, ns := range nameservers {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
} else {
for vendor, domains := range Vendors {
for _, domainpair := range domains {
queries <- Query{Nameserver: nameservers[0].Nameserver, Vendor: vendor, DomainPair: domainpair}
}
}
}
}
close(queries)
}
func Takeoff(nameservers []Nameserver) {
var nonrns, rns []Nameserver
for _, ns := range nameservers {
if ns.Recursive {
rns = append(rns, ns)
}
if ns.NonRA {
nonrns = append(nonrns, ns)
}
}
if len(nonrns) == 0 && len(rns) == 0 {
Fatal("no valid nameservers available for probing, they may be down or they don't like your IP")
}
recursive := false
for {
if !recursive {
if len(nonrns) > 0 {
scan(nonrns, Params.Threads, Params.Delay, false, false)
} else {
for {
Info(fmt.Sprintf("non-recursive lookups not viable on these servers, perform recursive snooping? %s(less reliable, can only be done once per server)%s",
ColorRed, ColorReset))
fmt.Printf("%s `--(y/n):%s ", ColorCyan, ColorReset)
var input string
fmt.Scanln(&input)
if input == "y" {
recursive = true
break
}
if input == "n" {
os.Exit(0)
}
}
continue
}
} else {
autodetected := Params.Domain != "" && len(Params.Nservers) == 0
scan(rns, Params.Threads, Params.Delay, true, autodetected)
}
}
}

69
common/io.go Normal file
View File

@ -0,0 +1,69 @@
package common
import (
"fmt"
"os"
)
var (
ColorReset = "\033[0m"
ColorRed = "\033[31m"
ColorPurple = "\033[35m"
ColorLightBlue = "\033[34m"
ColorCyan = "\033[36m"
ColorGreen = "\033[32m"
ColorOrange = "\033[91m"
ColorGray = "\033[90m"
ColorYellow = "\033[93m"
ColorWhite = "\033[97m"
)
func Usage() {
Banner()
fmt.Printf(`
usage:
%s!%s d | target fqdn (not recommended)
%s!%s n | nameserver to query (can be specified multiple times)
v | enable verbosity %s[false]%s
t | threads %s[5]%s
s | delay between requests in milliseconds, per thread %s[250]%s
e.g.
patdown -d target.network
patdown -n egress.ns.target.network -n another.egress.ns.target.network
patdown -n dc.target.network -v -t 25
`, ColorRed, ColorReset, ColorRed, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset)
}
func Banner() {
fmt.Fprintf(os.Stderr, `
_______
_/_ / ---' ____)____
_ __. / __/ __ , , , ___ ______)
/_)_(_/|_<__(_/_(_)(_(_/_/ <_ _______)
/ _______)
' ---.__________)
`)
}
func Success(msg string) {
fmt.Printf("%s[+]%s %s\n", ColorGreen, ColorReset, msg)
}
func Info(msg string) {
fmt.Printf("%s[i]%s %s\n", ColorCyan, ColorReset, msg)
}
func Warn(msg string) {
fmt.Printf("%s[!]%s %s\n", ColorYellow, ColorReset, msg)
}
func Error(msg string) {
fmt.Printf("%s[x]%s %s\n", ColorRed, ColorReset, msg)
}
func Fatal(msg string) {
fmt.Printf("%s[f]%s %s\n", ColorRed, ColorReset, msg)
os.Exit(-1)
}

140
common/net.go Normal file
View File

@ -0,0 +1,140 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Query struct {
Nameserver string
Vendor string
DomainPair Pair
}
type Nameserver struct {
Nameserver string
NonRA bool
Recursive bool
}
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{
Name: dns.Fqdn(domain),
Qtype: reqtype,
Qclass: dns.ClassINET,
}
return msg
}
func ParseNS(nameservers []string) []Nameserver {
var valid []Nameserver
msg := message("cloudflare.com", dns.TypeA, false)
for _, ns := range nameservers {
nonra, ra := false, false
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error(fmt.Sprintf("nameserver %s%s%s is not responding to the trial query", ColorGray, ns[0:len(ns)-1], ColorReset))
continue
}
if in.Rcode == dns.RcodeRefused {
Warn(fmt.Sprintf("nameserver %s%s%s refused the trial non-recursive query", ColorGray, ns[0:len(ns)-1], ColorReset))
} else {
Success(fmt.Sprintf("nameserver %s%s%s allows non-recursive queries", ColorGray, ns[0:len(ns)-1], ColorReset))
nonra = true
}
if in.RecursionAvailable {
Success(fmt.Sprintf("nameserver %s%s%s allows recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
ra = true
} else {
Warn(fmt.Sprintf("nameserver %s%s%s does not allow recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
}
valid = append(valid, Nameserver{Nameserver: ns, NonRA: nonra, Recursive: ra})
}
return valid
}
func NeutralReq() bool {
msg := message("supernets.org", dns.TypeA, true)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) []string {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
nameservers := []string{}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
return nameservers
}
func RunQuery(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
msg := message(qdata.DomainPair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset))
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func RunQueryRA(q <-chan Query, tracker chan<- interface{}, delay int) {
for qdata := range q {
if Params.Verbose {
Info(fmt.Sprintf("recursively querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
}
for x := 0; x < 2; x++ {
msg := message(qdata.DomainPair.Domain, dns.TypeA, true)
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
if err != nil {
Error("hiccup on " + qdata.Nameserver[0:len(qdata.Nameserver)-1] + " while querying " + qdata.DomainPair.Domain)
time.Sleep(2 * time.Second)
continue
}
if len(in.Answer) > 0 {
if in.Answer[0].Header().Ttl <= qdata.DomainPair.TTL-4 {
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s with decremented TTL of %s%d%s",
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset, ColorGreen, in.Answer[0].Header().Ttl, ColorReset))
}
}
break
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}

View File

@ -1,327 +1,483 @@
package common
type DomInfo struct {
Vendor string
import "fmt"
type Pair struct {
Domain string
TTL uint32
}
var Domains = map[string]DomInfo{
// Microsoft Defender for Endpoint
//https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
"ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"download.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic
"go.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1600}, // dynamic
"ussus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"wseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus3westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic
"usseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"usseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 980},
"ussus4eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120},
"wseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"ussus3eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus4westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
// VMWare Carbon Black
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
"defense-prod05.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"console.cloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"updates2.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"dashboard.confer.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"console.cloud-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"ew2.carbonblackcloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"defense.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"carbonblack.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600},
"defense-prodnrt.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"updates.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"gprd1usgw1.carbonblack-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600},
"defense-prodsyd.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"carbonblack.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"defense-eap01.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"defense-eu.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
// CrowdStrike Falcon
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
"falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"ts01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 900},
"api.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
"ts01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"firehose.us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"assets.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"api.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"lfodown01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"assets-public.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"assets.falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"api.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"assets-public.us-2.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"firehose.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"ts01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"lfoup01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"assets-public.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
"lfoup01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"lfoup01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"ts01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"ts01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"assets.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"lfodown01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"falcon.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"firehose.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"firehose.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"lfodown01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"api.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"lfodown01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"lfodown01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"firehose.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
// Harmony / CheckPoint
// https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590
"rep.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"threat-emulation.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900},
"sc1.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"gwevents.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"gwevents.us.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 180},
"endpoint-cdn.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 39},
"iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900},
"kav8.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"cloudinfra-gw.portal.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"datatube-prod.azurewebsites.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 30},
"updates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"ep-repo.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"file-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"threatcloud.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"dl3.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"secureupdates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"epm-gw-eu.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 86400},
"url-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"te.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"services.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"europe-west1-datatube-240519.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"cws.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"teadv.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"te.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
// Cybereason
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
"data-epgw-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 60},
"data-epgw-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"data-epgw.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"cybereason.com": DomInfo{Vendor: "Cybereason", TTL: 300},
// FireEye / Trellix
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878
"manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 900},
"cds-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"auth.ui.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"uam.api.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 300},
"dxlweb-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
// Cortex XDR / Palo Alto Networks
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
"panw-xdr-evr-prod-au.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-eu.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"global-content-profiles-policy.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-uk.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-ch.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-jp.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-qt.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-pl.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"pendo-static-5664029141630976.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-sg.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-uk.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-tw.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 1800},
"panw-xdr-evr-prod-eu.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-ca.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30},
"lrc-fa.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30},
"panw-xdr-evr-prod-in.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-fa.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-ca.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-pl.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-qt.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-de.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-ch.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-in.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-de.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-au.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-tw.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"login.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
// Singularity / SentinelOne
"eu1-oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-qi.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"sentinelone.com": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"xdr.intus1.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 60},
"eu1-device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-vpc.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-acceptor.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"login.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-token.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"ut.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
// Symantec / Broadcom
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html
"remotetunnel5.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"remotetunnel1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"remotetunnel3.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"bash-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"remotetunnel2.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"central.b6.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"stnd-ipsg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"datafeedapi.symanteccloud.com": DomInfo{Vendor: "Symantec", TTL: 300},
"stnd-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"shasta-rrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"remotetunnel4.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"liveupdate.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"sso1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"shasta-mrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"telemetry.broadcom.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"ratings-wrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"api-gateway.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"swupdate.brightmail.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
// Tanium
"docs-es.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"docs-ko.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"shared.prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"prd.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"jp.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"docs-fr.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"shared.prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"shared.prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"shared.prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
// Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
"update-aurora.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-102.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-202.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-201.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-lite.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
// Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
"xdr.trendmicro.co.jp": DomInfo{Vendor: "Trend Micro", TTL: 60},
"files.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"api.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"cloudone.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"ddd53-p.activeupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"trenddefense.com": DomInfo{Vendor: "Trend Micro", TTL: 300},
"threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"api.sg.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"api.jp.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"api.eu.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"docs.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"api.us.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"ddd53-threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"licenseupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"xdr.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
// Rapid7 InsightIDR
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
"data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 60},
"us2.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
"us3.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
"eu.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
"ca.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
"au.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
"ap.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
"endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
"us2.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
"us3.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
"eu.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
"ca.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
"au.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
"ap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
"us.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"us.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"us2.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"us2.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"us3.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"us3.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"eu.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"eu.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"ca.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"ca.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"au.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"au.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"ap.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
"ap.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
var Vendors = map[string][]Pair{
fmt.Sprintf("%sMicrosoft Defender for Endpoint%s", ColorCyan, ColorReset): domains_microsoft,
fmt.Sprintf("%sVMWare%s Carbon Black%s", ColorCyan, ColorGray, ColorReset): domains_carbonblack,
fmt.Sprintf("%sCrowdStrike Falcon%s", ColorRed, ColorReset): domains_crowdstrike,
fmt.Sprintf("%sCheck Point Harmony%s", ColorPurple, ColorReset): domains_checkpoint,
fmt.Sprintf("%sCybereason%s", ColorYellow, ColorReset): domains_cybereason,
fmt.Sprintf("%sTrellix%s", ColorCyan, ColorReset): domains_trellix,
fmt.Sprintf("%sCortex XDR%s", ColorOrange, ColorReset): domains_paloalto,
fmt.Sprintf("%sSentinelOne Singularity%s", ColorPurple, ColorReset): domains_sentinelone,
fmt.Sprintf("%sSymantec Endpoint Security%s", ColorYellow, ColorReset): domains_symantec,
fmt.Sprintf("%sTanium%s", ColorRed, ColorReset): domains_tanium,
fmt.Sprintf("%sNextron%s Aurora%s", ColorCyan, ColorGreen, ColorReset): domains_aurora,
fmt.Sprintf("%sTrend Micro Endpoint Sensor%s", ColorRed, ColorReset): domains_trendmicro,
fmt.Sprintf("%sRapid7%s InsightIDR", ColorOrange, ColorReset): domains_rapid7,
}
// Microsoft Defender for Endpoint
// https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
var domains_microsoft = []Pair{
{"download.microsoft.com", 3600}, // not certain
{"go.microsoft.com", 3600}, // not certain
{"security.microsoft.com", 3600},
{"settings-win.data.microsoft.com", 3600}, // not certain
{"windowsupdate.com", 300},
{"ctldl.windowsupdate.com", 3600}, // not certain
{"wdcp.microsoft.com", 3600},
{"wd.microsoft.com", 300},
{"wdcpalt.microsoft.com", 3600},
{"checkappexec.microsoft.com", 3600}, // not certain
{"smartscreen-prod.microsoft.com", 3600},
{"vortex-win.data.microsoft.com", 120},
{"update.microsoft.com", 3600}, // not certain
{"download.windowsupdate.com", 3600}, // not certain
{"definitionupdates.microsoft.com", 3600},
// {"delivery.mp.microsoft.com", 0},
// {"fe3cr.delivery.mp.microsoft.com", 0},
{"ussus2westprod.blob.core.windows.net", 60},
{"ussus1westprod.blob.core.windows.net", 60},
{"wsus2westprod.blob.core.windows.net", 60},
{"wseu1northprod.blob.core.windows.net", 60},
{"wsus2eastprod.blob.core.windows.net", 60},
{"ussus3westprod.blob.core.windows.net", 60},
{"wsus1eastprod.blob.core.windows.net", 60},
{"wsuk1westprod.blob.core.windows.net", 60},
{"ussus2eastprod.blob.core.windows.net", 60},
{"usseu1northprod.blob.core.windows.net", 60},
{"wsus1westprod.blob.core.windows.net", 60},
{"usseu1westprod.blob.core.windows.net", 60},
{"ussus1eastprod.blob.core.windows.net", 60},
{"ussuk1westprod.blob.core.windows.net", 60},
{"ussus4eastprod.blob.core.windows.net", 60},
{"wseu1westprod.blob.core.windows.net", 60},
{"ussuk1southprod.blob.core.windows.net", 60},
{"ussus3eastprod.blob.core.windows.net", 60},
{"ussus4westprod.blob.core.windows.net", 60},
{"wsuk1southprod.blob.core.windows.net", 60},
}
// VMWare Carbon Black
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
// https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/cb-edr-scm-guide/GUID-3117FB54-5D0F-46C1-8372-BF3784D27CFF.html
// restricted: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295
var domains_carbonblack = []Pair{
{"defense-prod05.conferdeploy.net", 60},
{"console.cloud.vmware.com", 60},
{"updates2.cdc.carbonblack.io", 300},
{"dashboard.confer.net", 300},
{"console.cloud-us-gov.vmware.com", 300},
{"ew2.carbonblackcloud.vmware.com", 30},
{"defense.conferdeploy.net", 60},
{"carbonblack.io", 60},
{"carbonblack.vmware.com", 86400},
{"defense-prodnrt.conferdeploy.net", 60},
{"updates.cdc.carbonblack.io", 60},
{"gprd1usgw1.carbonblack-us-gov.vmware.com", 3600},
{"defense-prodsyd.conferdeploy.net", 60},
{"carbonblack.com", 300},
{"defense-eap01.conferdeploy.net", 60},
{"defense-eu.conferdeploy.net", 60},
{"api.alliance.carbonblack.com", 600},
{"api2.alliance.carbonblack.com", 600},
{"threatintel.bit9.com", 3600},
{"yum.distro.carbonblack.io", 300},
}
// CrowdStrike Falcon
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
var domains_crowdstrike = []Pair{
{"falcon.us-2.crowdstrike.com", 120},
{"falcon.crowdstrike.com", 60},
{"ts01-gyr-maverick.cloudsink.net", 60},
// {"us-gov-2.crowdstrike.com", 0},
{"api.crowdstrike.com", 300},
{"ts01-b.cloudsink.net", 1800},
// {"firehose.us-gov-2.crowdstrike.com", 0},
{"assets.falcon.eu-1.crowdstrike.com", 120},
{"api.eu-1.crowdstrike.com", 60},
{"lfodown01-b.cloudsink.net", 1800},
{"assets-public.falcon.crowdstrike.com", 60},
{"assets.falcon.us-2.crowdstrike.com", 120},
{"api.us-2.crowdstrike.com", 120},
{"assets-public.us-2.falcon.crowdstrike.com", 120},
{"firehose.laggar.gcw.crowdstrike.com", 60},
{"ts01-lanner-lion.cloudsink.net", 60},
{"lfoup01-lanner-lion.cloudsink.net", 1800},
{"assets-public.falcon.eu-1.crowdstrike.com", 120},
{"crowdstrike.com", 300},
{"lfoup01-gyr-maverick.cloudsink.net", 1800},
{"lfoup01-b.cloudsink.net", 1800},
{"ts01-laggar-gcw.cloudsink.net", 60},
{"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com", 60},
{"ts01-us-gov-2.cloudsink.net", 1800},
{"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com", 60},
{"assets.falcon.crowdstrike.com", 60},
{"lfodown01-lanner-lion.cloudsink.net", 60},
{"falcon.laggar.gcw.crowdstrike.com", 60},
{"firehose.us-2.crowdstrike.com", 120},
{"firehose.eu-1.crowdstrike.com", 120},
{"lfodown01-laggar-gcw.cloudsink.net", 60},
{"api.laggar.gcw.crowdstrike.com", 60},
{"lfodown01-gyr-maverick.cloudsink.net", 60},
{"lfodown01-us-gov-2.cloudsink.net", 1800},
{"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com", 60},
{"firehose.crowdstrike.com", 300},
{"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com", 60},
}
// Harmony / CheckPoint
// https://support.checkpoint.com/results/sk/sk116590
var domains_checkpoint = []Pair{
{"rep.checkpoint.com", 1800},
{"threat-emulation.checkpoint.com", 1800},
{"sc1.checkpoint.com", 1800},
{"gwevents.checkpoint.com", 300},
{"gwevents.us.checkpoint.com", 180},
{"endpoint-cdn.epmgmt.checkpoint.com", 300},
// {"checkpoint.com", 25}, <- dynamic ttl
{"kav8.checkpoint.com", 1800},
{"cloudinfra-gw.portal.checkpoint.com", 60},
{"datatube-prod.azurewebsites.net", 30},
{"updates.checkpoint.com", 1800},
{"ep-repo.epmgmt.checkpoint.com", 300},
{"file-rep.iaas.checkpoint.com", 60},
{"threatcloud.iaas.checkpoint.com", 60},
{"dl3.checkpoint.com", 1800},
{"secureupdates.checkpoint.com", 1800},
{"epm-gw-eu.epmgmt.checkpoint.com", 86400},
{"url-rep.iaas.checkpoint.com", 60},
{"te.iaas.checkpoint.com", 60},
{"services.checkpoint.com", 1800},
{"europe-west1-datatube-240519.cloudfunctions.net", 300},
{"cws.checkpoint.com", 1800},
{"teadv.checkpoint.com", 1800},
{"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net", 300},
{"te.checkpoint.com", 1800},
{"hap2.epmgmt.checkpoint.com", 300},
{"hap21.epmgmt.checkpoint.com", 300},
{"hap5.epmgmt.checkpoint.com", 300},
{"hap51.epmgmt.checkpoint.com", 300},
{"hap1.epmgmt.checkpoint.com", 300},
{"hap11.epmgmt.checkpoint.com", 300},
{"hap3.epmgmt.checkpoint.com", 300},
{"hap31.epmgmt.checkpoint.com", 300},
{"hap4.epmgmt.checkpoint.com", 300},
{"hap41.epmgmt.checkpoint.com", 300},
{"ftp-proxy.checkpoint.com", 1800},
{"web-rep.checkpoint.com", 1800},
}
// Cybereason
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
var domains_cybereason = []Pair{
{"data-epgw-eu-west-1.cybereason.net", 300},
{"probe-dist-asia-northeast-1.cybereason.net", 60},
{"data-epgw-asia-northeast-1.cybereason.net", 300},
{"probe-dist.cybereason.net", 300},
{"probe-dist-eu-west-1.cybereason.net", 300},
{"probe-dist-dns.cybereason.net", 3600},
{"data-epgw.cybereason.net", 300},
{"cybereason.com", 600},
}
// FireEye / Trellix
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878
var domains_trellix = []Pair{
{"epo.trellix.com", 300},
{"s-download.trellix.com", 300},
{"lc.trellix.com", 300},
{"manage.trellix.com", 60},
{"cds-usw001.manage.trellix.com", 60},
{"cdn-usw002.manage.trellix.com", 60},
{"cdn-usw001.manage.trellix.com", 60},
{"cdn-usw003.manage.trellix.com", 60},
{"auth.ui.trellix.com", 60},
{"uam.api.trellix.com", 60},
{"api.manage.trellix.com", 60},
{"cds-usw002.manage.trellix.com", 60},
{"trellix.com", 60},
{"dxlweb-usw001.manage.trellix.com", 60},
{"cds-usw003.manage.trellix.com", 60},
{"cdn-sgp001.manage.trellix.com", 60},
{"dxlweb-usw002.manage.trellix.com", 60},
{"cdn-ind001.manage.trellix.com", 60},
{"dxl-usw002.manage.trellix.com", 60},
{"dxl-usw001.manage.trellix.com", 60},
{"dxlweb-usw003.manage.trellix.com", 60},
{"cds-usw004.manage.trellix.com", 60},
{"cdn-au001.manage.trellix.com", 60},
{"dxlweb-usw004.manage.trellix.com", 60},
{"cdn-usw004.manage.trellix.com", 60},
{"dxl-usw004.manage.trellix.com", 60},
{"dxl-usw003.manage.trellix.com", 60},
{"cdn-eu001.manage.trellix.com", 60},
{"iam.cloud.trellix.com", 10},
{"iam-rs.cloud.trellix.com", 10},
{"gsd.cloud.trellix.com", 10},
{"d2c-us-west-2.manage.trellix.com", 60},
{"d2c-eu-central-1.manage.trellix.com", 60},
{"dxlweb-sgp001.manage.trellix.com", 60},
{"dxl-sgp001.manage.trellix.com", 60},
{"dxl-eu001.manage.trellix.com", 60},
{"dxlweb-eu001.manage.trellix.com", 60},
{"dxl-au001.manage.trellix.com", 60},
{"dxlweb-au001.manage.trellix.com", 60},
{"dxl-ind001.manage.trellix.com", 60},
{"dxlweb-ind001.manage.trellix.com", 60},
{"ui-usw001.manage.trellix.com", 60},
{"ui-usw002.manage.trellix.com", 60},
{"ui-usw003.manage.trellix.com", 60},
{"ui-usw004.manage.trellix.com", 60},
{"ui-sgp001.manage.trellix.com", 60},
{"ui-eu001.manage.trellix.com", 60},
{"ui-au001.manage.trellix.com", 60},
{"ui-ind001.manage.trellix.com", 60},
{"ah-usw001.manage.trellix.com", 60},
{"ah-usw002.manage.trellix.com", 60},
{"ah-usw003.manage.trellix.com", 60},
{"ah-usw004.manage.trellix.com", 60},
{"ah-sgp001.manage.trellix.com", 60},
{"ah-eu001.manage.trellix.com", 60},
{"ah-au001.manage.trellix.com", 60},
{"ah-ind001.manage.trellix.com", 60},
}
// Cortex XDR / Palo Alto Networks
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
var domains_paloalto = []Pair{
{"panw-xdr-evr-prod-au.storage.googleapis.com", 300},
{"lrc-eu.paloaltonetworks.com", 14400},
{"global-content-profiles-policy.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-uk.storage.googleapis.com", 300},
{"lrc-ch.paloaltonetworks.com", 14400},
{"lrc-jp.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-qt.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-pl.storage.googleapis.com", 300},
{"pendo-static-5664029141630976.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-sg.storage.googleapis.com", 300},
{"lrc-uk.paloaltonetworks.com", 14400},
{"lrc-us.paloaltonetworks.com", 14400},
{"lrc-tw.paloaltonetworks.com", 1800},
{"panw-xdr-evr-prod-eu.storage.googleapis.com", 300},
{"lrc-ca.paloaltonetworks.com", 14400},
{"paloaltonetworks.com", 30},
// {"lrc-fa.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-in.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-fa.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-ca.storage.googleapis.com", 300},
{"lrc-pl.paloaltonetworks.com", 14400},
{"lrc-qt.paloaltonetworks.com", 300},
{"panw-xdr-evr-prod-us.storage.googleapis.com", 300},
{"lrc-de.paloaltonetworks.com", 300},
{"panw-xdr-installers-prod-us.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-ch.storage.googleapis.com", 300},
{"lrc-in.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-de.storage.googleapis.com", 300},
{"lrc-au.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-tw.storage.googleapis.com", 300},
{"login.paloaltonetworks.com", 14400},
{"lrc-sg.paloaltonetworks.com", 14400},
{"panw-xdr-evr-prod-jp.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-us.storage.googleapis.com", 300},
{"distributions.traps.paloaltonetworks.com", 300},
{"distributions-prod-fed.traps.paloaltonetworks.com", 300},
{"cortex-gateway.paloaltonetworks.com", 30},
{"gw-app-proxy.us.paloaltonetworks.com", 300},
{"xdr-ova-installers-prod-us.storage.googleapis.com", 300},
{"identity.paloaltonetworks.com", 300},
{"identity.gslb.paloaltonetworks.com", 5},
{"identity.gcp.gslb.paloaltonetworks.com", 5},
{"lrc-fed.paloaltonetworks.com", 14400},
{"panw-xdr-installers-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-payloads-prod-fr.storage.googleapis.com", 300},
{"global-content-profiles-policy-prod-fr.storage.googleapis.com", 300},
{"panw-xdr-evr-prod-fr.storage.googleapis.com", 300},
{"app-proxy.federal.paloaltonetworks.com", 300},
}
// Singularity / SentinelOne
var domains_sentinelone = []Pair{
{"eu1-oauth.mobile.sentinelone.net", 300},
{"eu1-qi.mobile.sentinelone.net", 300},
{"console.mobile.sentinelone.net", 300},
{"sentinelone.com", 300},
{"eu1-console.mobile.sentinelone.net", 300},
{"eu1-content.mobile.sentinelone.net", 300},
{"panel.mobile.sentinelone.net", 300},
{"oauth.mobile.sentinelone.net", 300},
{"xdr.intus1.sentinelone.net", 60},
{"eu1-device-api.mobile.sentinelone.net", 300},
{"eu1-vpc.mobile.sentinelone.net", 300},
{"eu1-acceptor.mobile.sentinelone.net", 300},
{"login.sentinelone.net", 300},
{"device-api.mobile.sentinelone.net", 300},
{"eu1-panel.mobile.sentinelone.net", 300},
{"eu1-token.mobile.sentinelone.net", 300},
{"content.mobile.sentinelone.net", 300},
{"ut.sentinelone.net", 300},
}
// Symantec / Broadcom
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/urls-to-whitelist-for-v129099891-d4155e9710.html
var domains_symantec = []Pair{
{"liveupdate.symantec.com", 3600},
{"liveupdate.symantecliveupdate.com", 600},
{"shasta-rrs.symantec.com", 1800},
{"ent-shasta-rrs.symantec.com", 1800},
{"ent-shasta-mr-clean.symantec.com", 1800},
{"symantec.com", 600},
{"sp.cwfservice.net", 600},
{"us.spoc.securitycloud.symantec.com", 600},
{"eu.spoc.securitycloud.symantec.com", 600},
{"in.spoc.securitycloud.symantec.com", 3600},
{"telemetry.broadcom.com", 3600},
{"tses.broadcom.com", 30},
{"central.b6.crsi.symantec.com", 1800},
{"central.ss.crsi.symantec.com", 1800},
{"central.nrsi.symantec.com", 1800},
{"central.avsi.symantec.com", 1800},
{"central.crsi.symantec.com", 1800},
{"shasta-mrs.symantec.com", 1800},
{"shasta-clt.symantec.com", 1800},
{"stnd-avpg.crsi.symantec.com", 1800},
{"avs-avpg.crsi.symantec.com", 1800},
{"stnd-ipsg.crsi.symantec.com ", 1800},
{"bash-avpg.crsi.symantec.com", 1800},
{"tus1gwynwapex01.symantec.com", 3600},
{"pod.threatpulse.com", 120},
{"faults.qalabs.symantec.com", 1800},
{"faults.symantec.com", 1800},
{"linux-repo-us.securityalliance.cloud", 86400},
{"usea1.r3.securitycloud.symantec.com", 3600},
{"euws1.r3.securitycloud.symantec.com", 3600},
{"inso1.r3.securitycloud.symantec.com", 3600},
{"datafeedapi.symanteccloud.com", 300},
{"us.spoc.securitycloud.symantec.com", 600},
{"eu.spoc.securitycloud.symantec.com ", 600},
{"in.spoc.securitycloud.symantec.com", 3600},
{"uploads.sep.securitycloud.symantec.com", 3600},
{"uploads.sep.eu.securitycloud.symantec.com ", 3600},
{"uploads.sep.in.securitycloud.symantec.com", 3600},
{"ws.securitycloud.symantec.com", 600},
{"bds.securitycloud.symantec.com", 600},
{"ws.eu.securitycloud.symantec.com", 3600},
{"bds.eu.securitycloud.symantec.com", 3600},
{"ws.in.securitycloud.symantec.com ", 3600},
{"bds.in.securitycloud.symantec.com", 3600},
{"cdn.sepmobile.securitycloud.symantec.com", 300},
{"mitm.sepmobile.securitycloud.symantec.com", 300},
{"services-prod.symantec.com", 600},
{"sep.securitycloud.symantec.com", 3600},
{"sep.eu.securitycloud.symantec.com", 3600},
{"sep.in.securitycloud.symantec.com", 3600},
{"avagoext.okta.com", 300},
{"accounts.saas.broadcomcloud.com", 3600},
{"api.sep.securitycloud.symantec.com", 86400},
{"api.sep.eu.securitycloud.symantec.com", 3600},
{"api.sep.in.securitycloud.symantec.com", 3600},
{"knowledge.broadcom.com", 3600},
{"support.broadcom.com", 300},
{"casupport.broadcom.com", 300},
{"login.broadcom.com", 3600},
{"ced.broadcom.com", 3600},
{"ratings-wrs.symantec.com", 3600},
{"api-gateway.symantec.com", 3600},
{"swupdate.brightmail.com", 3600},
{"licensing.dmas.symantec.com", 3600},
{"api.us.dmas.symantec.com", 300},
{"api.eu.dmas.symantec.com", 300},
}
// Tanium
var domains_tanium = []Pair{
{"content.tanium.com", 300},
{"docs-es.tanium.com", 300},
{"docs-fr.tanium.com", 300},
{"tanium.com", 300},
{"go2.tanium.com", 300},
{"learn.tanium.com", 300},
{"som.cloud.tanium.com", 60},
{"download.tanium.com", 300},
{"fnf-api.cloud.tanium.com", 60},
{"community.tanium.com", 300},
{"3.distribute.cloud.tanium.com", 300},
{"content.tanium.com", 300},
{"help.tanium.com", 300},
{"docs.tanium.com", 300},
{"moveit.tanium.com", 300},
{"kb.tanium.com", 300},
}
// Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
var domains_aurora = []Pair{
{"update-aurora.nextron-systems.com", 60},
{"update-102.nextron-systems.com", 60},
{"update-202.nextron-systems.com", 60},
{"update-201.nextron-systems.com", 60},
{"update-lite.nextron-systems.com", 60},
}
// Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
var domains_trendmicro = []Pair{
{"xdr.trendmicro.co.jp", 60},
{"files.trendmicro.com", 1800},
{"api.nacloud.trendmicro.com", 60},
{"cloudone.trendmicro.com", 60},
{"ddd53-p.activeupdate.trendmicro.com", 1800},
{"trenddefense.com", 300},
{"threatconnect.trendmicro.com", 1800},
{"api.sg.nacloud.trendmicro.com", 60},
{"trendmicro.com", 1800},
{"api.jp.nacloud.trendmicro.com", 60},
{"api.eu.nacloud.trendmicro.com", 60},
{"docs.trendmicro.com", 1800},
{"api.us.nacloud.trendmicro.com", 60},
{"ddd53-threatconnect.trendmicro.com", 1800},
{"licenseupdate.trendmicro.com", 1800},
{"xdr.trendmicro.com", 60},
}
// Rapid7 InsightIDR
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
var domains_rapid7 = []Pair{
{"data.insight.rapid7.com", 60},
{"us2.data.insight.rapid7.com", 30},
{"us3.data.insight.rapid7.com", 30},
{"eu.data.insight.rapid7.com", 30},
{"ca.data.insight.rapid7.com", 30},
{"au.data.insight.rapid7.com", 30},
{"ap.data.insight.rapid7.com", 30},
{"endpoint.ingress.rapid7.com", 300},
{"us2.endpoint.ingress.rapid7.com", 300},
{"us3.endpoint.ingress.rapid7.com", 300},
{"eu.endpoint.ingress.rapid7.com", 300},
{"ca.endpoint.ingress.rapid7.com", 300},
{"au.endpoint.ingress.rapid7.com", 300},
{"ap.endpoint.ingress.rapid7.com", 300},
{"us.storage.endpoint.ingress.rapid7.com", 86400},
{"us.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us2.storage.endpoint.ingress.rapid7.com", 86400},
{"us2.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"us3.storage.endpoint.ingress.rapid7.com", 86400},
{"us3.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"eu.storage.endpoint.ingress.rapid7.com", 86400}, // not certain
{"eu.bootstrap.endpoint.ingress.rapid7.com", 86400}, // not certain
{"ca.storage.endpoint.ingress.rapid7.com", 86400},
{"ca.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"au.storage.endpoint.ingress.rapid7.com", 86400},
{"au.bootstrap.endpoint.ingress.rapid7.com", 86400},
{"ap.storage.endpoint.ingress.rapid7.com", 86400},
{"ap.bootstrap.endpoint.ingress.rapid7.com", 86400},
}

14
go.mod
View File

@ -1,11 +1,13 @@
module patdown
go 1.21.0
go 1.22.6
require github.com/miekg/dns v1.1.62
require (
github.com/miekg/dns v1.1.57 // indirect
golang.org/x/mod v0.12.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/tools v0.13.0 // indirect
golang.org/x/mod v0.18.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.22.0 // indirect
golang.org/x/tools v0.22.0 // indirect
)

22
go.sum
View File

@ -1,10 +1,12 @@
github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=