Update azure-takeover-detection.yaml

Is better to check for the CNAME values instead of words in the response. A lot of false positives appear if they contain on of the terms to match, example: azurewebsites.net.reddog.microsoft.com
2024-05-10 05:34:53 -05:00 · 2024-05-10 05:34:53 -05:00 · 198217504d
parent 19e9bdc1a5
commit 198217504d
1 changed files with 23 additions and 27 deletions
--- a/dns/azure-takeover-detection.yaml
+++ b/dns/azure-takeover-detection.yaml
@ -4,7 +4,7 @@ info:
  name: Microsoft Azure Takeover Detection
  author: pdteam
  severity: high
-  description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a DNS record points to a deprovisioned Azure resource.
+  description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a D>
  reference:
    - https://godiego.co/posts/STO/
    - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
@ -25,33 +25,29 @@ dns:
    matchers:
      - type: word
        words:
-          - "azure-api.net"
-          - "azure-mobile.net"
-          - "azurecontainer.io"
-          - "azurecr.io"
-          - "azuredatalakestore.net"
-          - "azureedge.net"
-          - "azurefd.net"
-          - "azurehdinsight.net"
-          - "azurewebsites.net"
-          - "azurewebsites.windows.net"
-          - "blob.core.windows.net"
-          - "cloudapp.azure.com"
-          - "cloudapp.net"
-          - "database.windows.net"
-          - "redis.cache.windows.net"
-          - "search.windows.net"
-          - "servicebus.windows.net"
-          - "trafficmanager.net"
-          - "visualstudio.com"
-
-      - type: word
-        words:
-          - "NXDOMAIN"
-
+          - NXDOMAIN
+      - type: dsl
+        dsl:
+          - 'contains(cname, "azure-api.net")'
+          - 'contains(cname, "azure-mobile.net")'
+          - 'contains(cname, "azurecontainer.io")'
+          - 'contains(cname, "azurecr.io")'
+          - 'contains(cname, "azuredatalakestore.net")'
+          - 'contains(cname, "azureedge.net")'
+          - 'contains(cname, "azurefd.net")'
+          - 'contains(cname, "azurehdinsight.net")'
+          - 'contains(cname, "azurewebsites.net")'
+          - 'contains(cname, "azurewebsites.windows.net")'
+          - 'contains(cname, "blob.core.windows.net")'
+          - 'contains(cname, "cloudapp.azure.com")'
+          - 'contains(cname, "cloudapp.net")'
+          - 'contains(cname, "database.windows.net")'
+          - 'contains(cname, "redis.cache.windows.net")'
+          - 'contains(cname, "search.windows.net")'
+          - 'contains(cname, "servicebus.windows.net")'
+          - 'contains(cname, "trafficmanager.net")'
+          - 'contains(cname, "visualstudio.com")'
    extractors:
      - type: dsl
        dsl:
          - cname
-
-# digest: 4a0a00473045022043d1113417de308936591aa35f8175c25ad9d5b66b6d076fe0ba324450b1799e022100add5bb113b494d920eb39a99c107f2e7dff1979d482302e2580ff07e5857d9ff:922c64590222798bb761d5b6d8e72950