60 lines
1.7 KiB
Markdown
60 lines
1.7 KiB
Markdown
# patdown
|
|
|
|
> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
|
|
|
|
|
|
<p align="center">
|
|
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
|
|
</p>
|
|
|
|
## Abstract
|
|
Patdown probes a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
|
|
|
|
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` in its cache, chances are the '*CrowdStrike Falcon*' EDR solution is present somewhere on the network.
|
|
|
|
These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-t` flag.
|
|
|
|
> ⚠️ Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting EDR/XDR.
|
|
|
|
## Installation
|
|
Retrieve a binary corresponding to your architecture from **Releases**
|
|
|
|
*or*
|
|
|
|
`git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown`
|
|
|
|
## Usage
|
|
**Help**
|
|
|
|
`patdown -h`
|
|
|
|
|
|
**Target specific resolvers**
|
|
|
|
`patdown -n ns1.target.resolver -n ns2.another.target.resolver`
|
|
|
|
|
|
**Automatically snoop authoritative nameservers**
|
|
|
|
`patdown -t supernets.org`
|
|
|
|
|
|
## Currently Identified Vendors/Solutions:
|
|
- **CrowdStrike** Falcon
|
|
- **Microsoft** Defender for Endpoint
|
|
- **VMWare** Carbon Black
|
|
- **CheckPoint** Harmony
|
|
- **Cybereason** EDR
|
|
- **Trellix** EDR
|
|
- **Palo Alto Networks** Cortex XDR
|
|
- **SentinelOne** Singularity
|
|
- **Symantec** EDR
|
|
- **Tanium** EDR
|
|
- **Nextron** Aurora
|
|
- **Trend Micro** Endpoint Sensor
|
|
- **Rapid7** InsightIDR
|
|
|
|
|
|
- - - -
|
|
this is for christian purposes
|