From 198217504d5e23b7c34d2f5a5ad4835f5e6a7fc1 Mon Sep 17 00:00:00 2001 From: Philippe Delteil Date: Fri, 10 May 2024 05:34:53 -0500 Subject: [PATCH] Update azure-takeover-detection.yaml Is better to check for the CNAME values instead of words in the response. A lot of false positives appear if they contain on of the terms to match, example: azurewebsites.net.reddog.microsoft.com --- dns/azure-takeover-detection.yaml | 50 ++++++++++++++----------------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/dns/azure-takeover-detection.yaml b/dns/azure-takeover-detection.yaml index c7c350400a..fdddd8cff0 100644 --- a/dns/azure-takeover-detection.yaml +++ b/dns/azure-takeover-detection.yaml @@ -4,7 +4,7 @@ info: name: Microsoft Azure Takeover Detection author: pdteam severity: high - description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a DNS record points to a deprovisioned Azure resource. + description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a D> reference: - https://godiego.co/posts/STO/ - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover @@ -25,33 +25,29 @@ dns: matchers: - type: word words: - - "azure-api.net" - - "azure-mobile.net" - - "azurecontainer.io" - - "azurecr.io" - - "azuredatalakestore.net" - - "azureedge.net" - - "azurefd.net" - - "azurehdinsight.net" - - "azurewebsites.net" - - "azurewebsites.windows.net" - - "blob.core.windows.net" - - "cloudapp.azure.com" - - "cloudapp.net" - - "database.windows.net" - - "redis.cache.windows.net" - - "search.windows.net" - - "servicebus.windows.net" - - "trafficmanager.net" - - "visualstudio.com" - - - type: word - words: - - "NXDOMAIN" - + - NXDOMAIN + - type: dsl + dsl: + - 'contains(cname, "azure-api.net")' + - 'contains(cname, "azure-mobile.net")' + - 'contains(cname, "azurecontainer.io")' + - 'contains(cname, "azurecr.io")' + - 'contains(cname, "azuredatalakestore.net")' + - 'contains(cname, "azureedge.net")' + - 'contains(cname, "azurefd.net")' + - 'contains(cname, "azurehdinsight.net")' + - 'contains(cname, "azurewebsites.net")' + - 'contains(cname, "azurewebsites.windows.net")' + - 'contains(cname, "blob.core.windows.net")' + - 'contains(cname, "cloudapp.azure.com")' + - 'contains(cname, "cloudapp.net")' + - 'contains(cname, "database.windows.net")' + - 'contains(cname, "redis.cache.windows.net")' + - 'contains(cname, "search.windows.net")' + - 'contains(cname, "servicebus.windows.net")' + - 'contains(cname, "trafficmanager.net")' + - 'contains(cname, "visualstudio.com")' extractors: - type: dsl dsl: - cname - -# digest: 4a0a00473045022043d1113417de308936591aa35f8175c25ad9d5b66b6d076fe0ba324450b1799e022100add5bb113b494d920eb39a99c107f2e7dff1979d482302e2580ff07e5857d9ff:922c64590222798bb761d5b6d8e72950