cmd/patdown | ||
common | ||
go.mod | ||
go.sum | ||
README.md |
patdown
EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
Abstract
Patdown probes a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
Example: if a network's resolver has assets-public.falcon.crowdstrike.com
in its cache, chances are the 'CrowdStrike Falcon' EDR solution is present somewhere on the network.
These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the -t
flag.
⚠️ Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting for EDR/XDR.
Installation
Retrieve a binary corresponding to your architecture from Releases
or
git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown
Usage
Help
patdown -h
Target specific resolvers
patdown -n ns1.target.resolver -n ns2.another.target.resolver
Automatically snoop authoritative nameservers
patdown -t supernets.org
this is for christian purposes