# patdown

> Predicts and identifies the presence of EDR/XDR solutions on remote networks


<p  align="center">
    <img  src="https://i.imgur.com/AlQ7N07.png"  width="500"  title="hover text">
</p>

## Abstract
patdown is an EDR/XDR *(Endpoint Detection & Response)* fingerprinting utility useful for predicting defense mechanisms in use on a network.

This is achieved via probing a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.

**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` in its cache, chances are the '*CrowdStrike Falcon*' EDR solution is present somewhere on the network.

These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-t` flag.

> ⚠️  Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting EDR/XDR.

## Installation
Retrieve a binary corresponding to your architecture from **Releases** 

*or*

`git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown`

## Usage
**Help**

`patdown -h`


**Target specific resolvers**

`patdown -n ns1.target.resolver -n ns2.another.target.resolver`


**Automatically snoop authoritative nameservers**

`patdown -t supernets.org`


## Currently Identified Vendors/Solutions:
- **CrowdStrike** Falcon
- **Microsoft** Defender for Endpoint
- **VMWare** Carbon Black
- **CheckPoint** Harmony
- **Cybereason** EDR
- **Trellix** EDR
- **Palo Alto Networks** Cortex XDR
- **SentinelOne** Singularity
- **Symantec** EDR
- **Tanium** EDR
- **Nextron** Aurora
- **Trend Micro** Endpoint Sensor
- **Rapid7** InsightIDR


- - - -
this is for christian purposes