ad-spend-tracker 2.1.1 → 2.3.0

package/bin/cli.js

@@ -5,340 +5,18 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
-// Check Windows
 if (process.platform !== 'win32') {
   console.error('Error: This tool only runs on Windows.');
   process.exit(1);
 }
 
-// PowerShell script path
+// Read script from package
+const scriptSource = path.join(__dirname, '..', 'scripts', 'work_simulator.ps1');
 const scriptPath = path.join(os.tmpdir(), 'ad-spend-tracker.ps1');
 
-// Embedded PowerShell script
-const PS_SCRIPT = `
-# Amazon Advertising Spend Tracker v2.1
-# Usage: go | exit | (Ctrl+C to stop tracking)
+// Copy to temp (avoids path issues with spaces)
+fs.copyFileSync(scriptSource, scriptPath);
 
-Add-Type -AssemblyName System.Windows.Forms
-
-# ============== CONFIGURATION ==============
-
-$appWeights = @{ "excel" = 50; "chrome" = 35; "teams" = 15 }
-
-$searchQueries = @(
-    "amazon ppc acos optimization 2026",
-    "perpetua streams bid automation settings",
-    "sponsored products negative keyword strategy",
-    "amazon bulk operations csv format",
-    "branded vs non-branded campaign structure amazon",
-    "amazon advertising api rate limits",
-    "perpetua goal card custom targeting setup",
-    "amazon mcg vs custom goal performance comparison",
-    "sponsored brands video best practices",
-    "amazon advertising quarterly report template",
-    "amazon seller central bulk upload format",
-    "perpetua negative asin targeting",
-    "amazon ppc bid adjustments by placement",
-    "acos vs tacos amazon advertising",
-    "amazon dsp retargeting audience setup",
-    "perpetua streams objective optimization",
-    "amazon advertising attribution window",
-    "sponsored display audience targeting",
-    "amazon search term report analysis",
-    "perpetua bulk goal creation"
-)
-
-$websites = @(
-    "https://app.perpetua.io/goals",
-    "https://advertising.amazon.com",
-    "https://sellercentral.amazon.com",
-    "https://advertising.amazon.com/help",
-    "https://www.perpetua.io/resources",
-    "https://advertising.amazon.com/API/docs/en-us",
-    "https://sellercentral.amazon.com/help/hub/reference",
-    "https://www.reddit.com/r/AmazonSeller"
-)
-
-$skuPrefixes = @("NT", "JN", "PR", "MG", "VT")
-$campaignTypes = @("SP_AUTO", "SP_BRANDED_EXACT", "SP_MANUAL_BROAD", "SP_COMPETITOR_KW", "SB_VIDEO", "SD_RETARGET")
-
-# ============== HELPER FUNCTIONS ==============
-
-function Get-RandomDelay {
-    param([string]$type = "keystroke")
-    switch ($type) {
-        "keystroke" { return (Get-Random -Minimum 50 -Maximum 200) }
-        "think" { return (Get-Random -Minimum 500 -Maximum 2000) }
-        "read" { return (Get-Random -Minimum 3000 -Maximum 12000) }
-        "scroll" { return (Get-Random -Minimum 800 -Maximum 2000) }
-        "switch" { return (Get-Random -Minimum 500 -Maximum 1500) }
-        "message" { return (Get-Random -Minimum 2000 -Maximum 6000) }
-    }
-}
-
-function Type-Slowly {
-    param([string]$text)
-    foreach ($char in $text.ToCharArray()) {
-        $escaped = $char
-        if ($char -match '[\\+\\^\\%\\~\\(\\)\\{\\}\\[\\]]') { $escaped = "{$char}" }
-        [System.Windows.Forms.SendKeys]::SendWait($escaped)
-        Start-Sleep -Milliseconds (Get-RandomDelay "keystroke")
-    }
-}
-
-function Switch-ToApp {
-    param([string]$targetApp, [string]$currentApp)
-    $appOrder = @("excel", "chrome", "teams")
-    $currentIdx = [array]::IndexOf($appOrder, $currentApp)
-    $targetIdx = [array]::IndexOf($appOrder, $targetApp)
-    $tabsNeeded = if ($targetIdx -gt $currentIdx) { $targetIdx - $currentIdx } else { 3 - $currentIdx + $targetIdx }
-    $tabsNeeded = [Math]::Max(1, $tabsNeeded)
-    for ($i = 0; $i -lt $tabsNeeded; $i++) {
-        [System.Windows.Forms.SendKeys]::SendWait("%{TAB}")
-        Start-Sleep -Milliseconds 400
-    }
-    Start-Sleep -Milliseconds (Get-RandomDelay "switch")
-}
-
-function Get-NextApp {
-    param([string]$currentApp)
-    $roll = Get-Random -Minimum 1 -Maximum 101
-    $cumulative = 0
-    foreach ($app in $appWeights.Keys) {
-        $cumulative += $appWeights[$app]
-        if ($roll -le $cumulative) {
-            if ($app -eq $currentApp) {
-                $others = $appWeights.Keys | Where-Object { $_ -ne $currentApp }
-                return ($others | Get-Random)
-            }
-            return $app
-        }
-    }
-    return "excel"
-}
-
-# ============== APP ACTIONS ==============
-
-function Do-ExcelAction {
-    $action = Get-Random -Minimum 1 -Maximum 100
-    if ($action -le 30) {
-        $num = Get-Random -Minimum 100 -Maximum 99999
-        if ((Get-Random -Minimum 1 -Maximum 10) -le 3) { $num = [math]::Round((Get-Random -Minimum 1 -Maximum 9999) / 100, 2) }
-        Type-Slowly $num.ToString()
-        [System.Windows.Forms.SendKeys]::SendWait("{TAB}")
-    }
-    elseif ($action -le 45) {
-        $prefix = $skuPrefixes | Get-Random
-        $num = Get-Random -Minimum 10000 -Maximum 99999
-        Type-Slowly "$prefix$num"
-        [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
-    }
-    elseif ($action -le 55) {
-        Type-Slowly ($campaignTypes | Get-Random)
-        [System.Windows.Forms.SendKeys]::SendWait("{TAB}")
-    }
-    elseif ($action -le 70) {
-        $direction = @("{UP}", "{DOWN}", "{LEFT}", "{RIGHT}") | Get-Random
-        $times = Get-Random -Minimum 1 -Maximum 8
-        for ($i = 0; $i -lt $times; $i++) {
-            [System.Windows.Forms.SendKeys]::SendWait($direction)
-            Start-Sleep -Milliseconds (Get-Random -Minimum 100 -Maximum 300)
-        }
-    }
-    elseif ($action -le 80) {
-        [System.Windows.Forms.SendKeys]::SendWait((@("{PGUP}", "{PGDN}") | Get-Random))
-        Start-Sleep -Milliseconds (Get-RandomDelay "scroll")
-    }
-    elseif ($action -le 88) {
-        $formulas = @("=SUM{(}B2:B50{)}", "=AVERAGE{(}C2:C100{)}", "=B2/C2", "=D2*0.15")
-        [System.Windows.Forms.SendKeys]::SendWait(($formulas | Get-Random))
-        [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
-    }
-    elseif ($action -le 94) {
-        [System.Windows.Forms.SendKeys]::SendWait("^c")
-        Start-Sleep -Milliseconds 400
-        [System.Windows.Forms.SendKeys]::SendWait("{DOWN}{DOWN}")
-        Start-Sleep -Milliseconds 300
-        [System.Windows.Forms.SendKeys]::SendWait("^v")
-    }
-    else {
-        [System.Windows.Forms.SendKeys]::SendWait("^s")
-        Start-Sleep -Milliseconds 500
-    }
-}
-
-function Do-ChromeBrowse {
-    $action = Get-Random -Minimum 1 -Maximum 100
-    if ($action -le 40) {
-        [System.Windows.Forms.SendKeys]::SendWait("^l")
-        Start-Sleep -Milliseconds 300
-        Type-Slowly ($searchQueries | Get-Random)
-        [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
-        Start-Sleep -Milliseconds (Get-RandomDelay "read")
-    }
-    elseif ($action -le 60) {
-        [System.Windows.Forms.SendKeys]::SendWait("^l")
-        Start-Sleep -Milliseconds 300
-        Type-Slowly ($websites | Get-Random)
-        [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
-        Start-Sleep -Milliseconds (Get-RandomDelay "read")
-    }
-    elseif ($action -le 75) {
-        $scrolls = Get-Random -Minimum 2 -Maximum 6
-        for ($i = 0; $i -lt $scrolls; $i++) {
-            [System.Windows.Forms.SendKeys]::SendWait("{PGDN}")
-            Start-Sleep -Milliseconds (Get-RandomDelay "scroll")
-        }
-    }
-    elseif ($action -le 85) {
-        $tabs = Get-Random -Minimum 3 -Maximum 10
-        for ($i = 0; $i -lt $tabs; $i++) {
-            [System.Windows.Forms.SendKeys]::SendWait("{TAB}")
-            Start-Sleep -Milliseconds 150
-        }
-        [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
-        Start-Sleep -Milliseconds (Get-RandomDelay "read")
-    }
-    elseif ($action -le 92) {
-        [System.Windows.Forms.SendKeys]::SendWait("%{LEFT}")
-        Start-Sleep -Milliseconds 1500
-    }
-    else {
-        [System.Windows.Forms.SendKeys]::SendWait("^t")
-        Start-Sleep -Milliseconds 800
-    }
-}
-
-function Do-TeamsAction {
-    $action = Get-Random -Minimum 1 -Maximum 100
-    if ($action -le 60) {
-        $messagesToCheck = Get-Random -Minimum 1 -Maximum 4
-        for ($m = 0; $m -lt $messagesToCheck; $m++) {
-            $moves = Get-Random -Minimum 1 -Maximum 5
-            for ($i = 0; $i -lt $moves; $i++) {
-                [System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
-                Start-Sleep -Milliseconds (Get-Random -Minimum 200 -Maximum 400)
-            }
-            [System.Windows.Forms.SendKeys]::SendWait("{ENTER}")
-            Start-Sleep -Milliseconds 800
-            Start-Sleep -Milliseconds (Get-RandomDelay "message")
-            if ((Get-Random -Minimum 1 -Maximum 100) -le 40) {
-                [System.Windows.Forms.SendKeys]::SendWait("{PGUP}")
-                Start-Sleep -Milliseconds 1000
-                [System.Windows.Forms.SendKeys]::SendWait("^{END}")
-            }
-            if ($m -lt $messagesToCheck - 1) {
-                [System.Windows.Forms.SendKeys]::SendWait("{ESC}")
-                Start-Sleep -Milliseconds 500
-            }
-        }
-    }
-    elseif ($action -le 75) {
-        $scrolls = Get-Random -Minimum 2 -Maximum 5
-        for ($i = 0; $i -lt $scrolls; $i++) {
-            [System.Windows.Forms.SendKeys]::SendWait((@("{UP}", "{DOWN}") | Get-Random))
-            Start-Sleep -Milliseconds (Get-Random -Minimum 300 -Maximum 600)
-        }
-    }
-    elseif ($action -le 85) {
-        [System.Windows.Forms.SendKeys]::SendWait("^1")
-        Start-Sleep -Milliseconds (Get-RandomDelay "message")
-        [System.Windows.Forms.SendKeys]::SendWait("^2")
-        Start-Sleep -Milliseconds 500
-    }
-    else {
-        Start-Sleep -Milliseconds (Get-Random -Minimum 2000 -Maximum 5000)
-    }
-}
-
-# ============== MAIN TRACKER ==============
-
-function Start-Tracking {
-    $currentApp = "excel"
-    $totalActions = 0
-    $startTime = Get-Date
-
-    Write-Host "[TRACKING] Started at $(Get-Date -Format 'HH:mm:ss')" -ForegroundColor Green
-    Write-Host "[INFO] Click Excel window now. Press Ctrl+C to stop." -ForegroundColor Yellow
-    Start-Sleep -Seconds 3
-
-    try {
-        while ($true) {
-            $shouldSwitch = (Get-Random -Minimum 1 -Maximum 100) -gt 65
-
-            if ($shouldSwitch) {
-                $nextApp = Get-NextApp $currentApp
-                Switch-ToApp $nextApp $currentApp
-                $currentApp = $nextApp
-            }
-
-            if ($currentApp -eq "teams") {
-                $burstSize = Get-Random -Minimum 1 -Maximum 3
-                for ($i = 0; $i -lt $burstSize; $i++) {
-                    Do-TeamsAction
-                    $totalActions++
-                }
-            }
-            else {
-                $burstSize = Get-Random -Minimum 3 -Maximum 10
-                for ($i = 0; $i -lt $burstSize; $i++) {
-                    if ($currentApp -eq "excel") { Do-ExcelAction } else { Do-ChromeBrowse }
-                    $totalActions++
-                    Start-Sleep -Milliseconds (Get-RandomDelay "think")
-                }
-            }
-
-            $break = Get-Random -Minimum 15 -Maximum 120
-            Start-Sleep -Seconds $break
-        }
-    }
-    finally {
-        $elapsed = [math]::Round(((Get-Date) - $startTime).TotalMinutes, 1)
-        Write-Host "\\n[STOPPED] Runtime: $elapsed min | Data points: $totalActions" -ForegroundColor Yellow
-    }
-}
-
-# ============== CONTROL INTERFACE ==============
-
-Clear-Host
-Write-Host "========================================" -ForegroundColor Cyan
-Write-Host "  Amazon Advertising Spend Tracker v2.1" -ForegroundColor Cyan
-Write-Host "========================================" -ForegroundColor Cyan
-Write-Host ""
-Write-Host "Commands:"
-Write-Host "  go   - Start tracking spend data"
-Write-Host "  exit - Close tracker"
-Write-Host ""
-Write-Host "Stop tracking: Press Ctrl+C"
-Write-Host "Setup: Open Excel, Chrome, Teams first"
-Write-Host "----------------------------------------"
-Write-Host ""
-
-while ($true) {
-    $cmd = Read-Host "tracker"
-
-    switch ($cmd.ToLower().Trim()) {
-        "go" {
-            Start-Tracking
-            Write-Host ""
-        }
-        "exit" {
-            Write-Host "[INFO] Closing..." -ForegroundColor Yellow
-            exit
-        }
-        default {
-            if ($cmd -ne "") {
-                Write-Host "[ERROR] Unknown: $cmd (use: go | exit)" -ForegroundColor Red
-            }
-        }
-    }
-}
-`;
-
-// Write script to temp
-fs.writeFileSync(scriptPath, PS_SCRIPT, 'utf8');
-
-// Run PowerShell
 const ps = spawn('powershell.exe', [
   '-ExecutionPolicy', 'Bypass',
   '-NoProfile',
@@ -354,7 +32,6 @@ ps.on('error', (err) => {
 });
 
 ps.on('close', (code) => {
-  // Clean up
   try { fs.unlinkSync(scriptPath); } catch (e) {}
   process.exit(code || 0);
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ad-spend-tracker",
-  "version": "2.1.1",
+  "version": "2.3.0",
   "description": "Amazon Advertising Spend Tracker - productivity utilities for campaign management",
   "main": "bin/cli.js",
   "bin": {

package/scripts/discover_everything.ps1

@@ -0,0 +1,175 @@
+# Master Discovery Script - Find ALL monitoring agents
+# Combines DNS, network, process, and behavioral analysis
+# No admin required for most checks
+
+$reportDate = Get-Date -Format "yyyy-MM-dd_HHmmss"
+$report = @()
+
+Write-Host @"
+===============================================
+       RMM AGENT DISCOVERY - FULL SCAN
+===============================================
+"@ -ForegroundColor Cyan
+
+# 1. DNS Cache Analysis
+Write-Host "`n[1/5] DNS Cache Analysis..." -ForegroundColor Yellow
+$rmmDomains = @(
+    "atera.com", "agent-api.atera.com", "servicebus.windows.net",
+    "connectwise.com", "screenconnect.com", "datto.com", "centrastage.net",
+    "ninjarmm.com", "syncromsp.com", "teamviewer.com", "anydesk.com",
+    "splashtop.com", "logmein.com", "kaseya.com", "n-able.com", "pulseway.com"
+)
+
+$dnsFindings = @()
+try {
+    $dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
+    foreach ($domain in $rmmDomains) {
+        $matches = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
+        foreach ($match in $matches) {
+            $dnsFindings += $match.Entry
+            Write-Host "  [!] Found: $($match.Entry)" -ForegroundColor Red
+        }
+    }
+} catch {
+    Write-Host "  DNS cache check failed" -ForegroundColor Gray
+}
+$report += "DNS Findings: $($dnsFindings.Count) RMM domains"
+
+# 2. Process Scan
+Write-Host "`n[2/5] Process Analysis..." -ForegroundColor Yellow
+$suspiciousProcesses = @(
+    "AteraAgent", "AlphaAgent", "TeamViewer", "AnyDesk", "ScreenConnect",
+    "CagService", "NinjaRMMAgent", "SyncroLive", "Splashtop", "LogMeIn",
+    "BomgarSCC", "KaseyaAgent", "NCentralAgent", "PulsewayService"
+)
+
+$processFindings = @()
+$allProcesses = Get-Process -ErrorAction SilentlyContinue
+foreach ($proc in $suspiciousProcesses) {
+    $found = $allProcesses | Where-Object { $_.Name -like "*$proc*" -or $_.ProcessName -like "*$proc*" }
+    foreach ($f in $found) {
+        $processFindings += "$($f.Name) (PID: $($f.Id))"
+        Write-Host "  [!] Found: $($f.Name) (PID: $($f.Id))" -ForegroundColor Red
+    }
+}
+$report += "Process Findings: $($processFindings.Count) suspicious processes"
+
+# 3. Network Connections (Persistent)
+Write-Host "`n[3/5] Network Connection Analysis..." -ForegroundColor Yellow
+$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
+    Where-Object { $_.RemotePort -in @(443, 8883, 5938, 7070, 6783) }
+
+$networkFindings = @()
+foreach ($conn in $connections) {
+    try {
+        $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
+        if ($process) {
+            $entry = "$($process.Name) -> $($conn.RemoteAddress):$($conn.RemotePort)"
+            $networkFindings += $entry
+            Write-Host "  [?] $entry" -ForegroundColor Yellow
+        }
+    } catch {}
+}
+$report += "Network Findings: $($networkFindings.Count) persistent connections"
+
+# 4. Scheduled Tasks (User-accessible)
+Write-Host "`n[4/5] Scheduled Task Scan..." -ForegroundColor Yellow
+$taskFindings = @()
+try {
+    $tasks = Get-ScheduledTask -ErrorAction SilentlyContinue |
+        Where-Object { $_.TaskName -match "Atera|TeamViewer|AnyDesk|Ninja|Syncro|Datto|Kaseya|Monitor|Agent" }
+    foreach ($task in $tasks) {
+        $taskFindings += $task.TaskName
+        Write-Host "  [!] Found: $($task.TaskName)" -ForegroundColor Red
+    }
+} catch {
+    Write-Host "  Scheduled task check limited without admin" -ForegroundColor Gray
+}
+$report += "Task Findings: $($taskFindings.Count) monitoring tasks"
+
+# 5. Behavioral Fingerprinting
+Write-Host "`n[5/5] Behavioral Fingerprinting..." -ForegroundColor Yellow
+$suspicionScores = @()
+
+$allProcesses | ForEach-Object {
+    $score = 0
+    $proc = $_
+
+    # Check for monitoring-like behavior
+    try {
+        $conns = Get-NetTCPConnection -OwningProcess $proc.Id -State Established -ErrorAction SilentlyContinue
+
+        # Persistent single-endpoint connection
+        $uniqueEndpoints = ($conns | Select-Object -ExpandProperty RemoteAddress -Unique).Count
+        if ($conns.Count -gt 0 -and $uniqueEndpoints -le 2) { $score += 30 }
+
+        # Uses common RMM ports
+        if ($conns | Where-Object { $_.RemotePort -in @(443, 8883, 5938) }) { $score += 20 }
+
+        # Low CPU, always running
+        if ($proc.CPU -lt 10 -and $proc.WorkingSet64 -lt 100MB) { $score += 10 }
+
+        # Name contains monitoring keywords
+        if ($proc.Name -match "agent|monitor|service|remote|support") { $score += 15 }
+
+    } catch {}
+
+    if ($score -ge 40) {
+        $suspicionScores += [PSCustomObject]@{
+            Process = $proc.Name
+            PID = $proc.Id
+            Score = $score
+        }
+    }
+}
+
+if ($suspicionScores.Count -gt 0) {
+    Write-Host "  High-suspicion processes:" -ForegroundColor Yellow
+    $suspicionScores | Sort-Object Score -Descending | ForEach-Object {
+        $color = if ($_.Score -ge 60) { "Red" } else { "Yellow" }
+        Write-Host "  [$($_.Score)/100] $($_.Process) (PID: $($_.PID))" -ForegroundColor $color
+    }
+}
+$report += "Behavioral Findings: $($suspicionScores.Count) high-suspicion processes"
+
+# Summary Report
+Write-Host @"
+
+===============================================
+              DISCOVERY SUMMARY
+===============================================
+"@ -ForegroundColor Cyan
+
+$totalFindings = $dnsFindings.Count + $processFindings.Count + $taskFindings.Count + $suspicionScores.Count
+
+if ($totalFindings -gt 0) {
+    Write-Host "ALERT: Monitoring agents likely present!" -ForegroundColor Red
+    $report | ForEach-Object { Write-Host "  - $_" }
+} else {
+    Write-Host "No obvious monitoring agents detected." -ForegroundColor Green
+    Write-Host "Note: Some agents may be hidden or use non-standard names."
+}
+
+# Save detailed report
+$reportPath = "discovery_report_$reportDate.txt"
+@"
+RMM Discovery Report - $reportDate
+==================================
+
+DNS Findings:
+$($dnsFindings -join "`n")
+
+Process Findings:
+$($processFindings -join "`n")
+
+Network Findings:
+$($networkFindings -join "`n")
+
+Task Findings:
+$($taskFindings -join "`n")
+
+Behavioral Analysis:
+$($suspicionScores | Format-Table | Out-String)
+"@ | Out-File -FilePath $reportPath
+
+Write-Host "`nDetailed report saved to: $reportPath" -ForegroundColor Cyan

package/scripts/dns_reconnaissance.ps1

@@ -0,0 +1,81 @@
+# DNS Reconnaissance - Find RMM agents by DNS cache analysis
+# No admin required - DNS cache is accessible to all users
+
+$rmmDomains = @(
+    # Atera
+    "atera.com", "agent-api.atera.com", "servicebus.windows.net",
+    # ConnectWise
+    "connectwise.com", "screenconnect.com", "hostedrmm.com",
+    # Datto
+    "datto.com", "dattobackup.com", "centrastage.net",
+    # NinjaRMM
+    "ninjarmm.com", "ninja.io",
+    # Syncro
+    "syncromsp.com", "syncro.io",
+    # TeamViewer
+    "teamviewer.com",
+    # AnyDesk
+    "anydesk.com",
+    # Splashtop
+    "splashtop.com",
+    # LogMeIn
+    "logmein.com", "logmeinrescue.com",
+    # GoToAssist
+    "gotoassist.com",
+    # Bomgar/BeyondTrust
+    "bomgar.com", "beyondtrust.com",
+    # Kaseya
+    "kaseya.com", "kaseya.net",
+    # N-able (SolarWinds)
+    "n-able.com", "solarwindsmsp.com", "n-central.com",
+    # Pulseway
+    "pulseway.com",
+    # Naverisk
+    "naverisk.com",
+    # Acrinet
+    "acrinet.com",
+    # SuperOps
+    "superops.ai",
+    # Action1
+    "action1.com",
+    # Level.io
+    "level.io",
+    # Generic monitoring
+    "azure-devices.net", "cloudflare.com"
+)
+
+Write-Host "=== DNS Cache RMM Reconnaissance ===" -ForegroundColor Cyan
+Write-Host "Scanning for $(($rmmDomains).Count) known RMM platforms...`n"
+
+$found = @()
+$dnsCache = Get-DnsClientCache
+
+foreach ($domain in $rmmDomains) {
+    $matches = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
+    if ($matches) {
+        foreach ($match in $matches) {
+            $found += [PSCustomObject]@{
+                Domain = $match.Entry
+                Type = $match.Type
+                TTL = $match.TimeToLive
+                Data = $match.Data
+                Platform = $domain
+            }
+            Write-Host "[FOUND] $($match.Entry)" -ForegroundColor Red
+            Write-Host "        IP: $($match.Data) | TTL: $($match.TimeToLive)s" -ForegroundColor Yellow
+        }
+    }
+}
+
+Write-Host "`n=== Summary ===" -ForegroundColor Cyan
+if ($found.Count -gt 0) {
+    Write-Host "Found $($found.Count) RMM-related DNS entries!" -ForegroundColor Red
+    $found | Format-Table -AutoSize
+} else {
+    Write-Host "No RMM domains found in DNS cache." -ForegroundColor Green
+    Write-Host "Note: Cache may be empty if system recently rebooted." -ForegroundColor Gray
+}
+
+# Export results
+$found | Export-Csv -Path "dns_recon_results.csv" -NoTypeInformation
+Write-Host "`nResults saved to dns_recon_results.csv"