Update azure-takeover-detection.yaml
Is better to check for the CNAME values instead of words in the response. A lot of false positives appear if they contain on of the terms to match, example: azurewebsites.net.reddog.microsoft.compatch-2
parent
19e9bdc1a5
commit
198217504d
|
@ -4,7 +4,7 @@ info:
|
||||||
name: Microsoft Azure Takeover Detection
|
name: Microsoft Azure Takeover Detection
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: high
|
severity: high
|
||||||
description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a DNS record points to a deprovisioned Azure resource.
|
description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a D>
|
||||||
reference:
|
reference:
|
||||||
- https://godiego.co/posts/STO/
|
- https://godiego.co/posts/STO/
|
||||||
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
|
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
|
||||||
|
@ -25,33 +25,29 @@ dns:
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "azure-api.net"
|
- NXDOMAIN
|
||||||
- "azure-mobile.net"
|
- type: dsl
|
||||||
- "azurecontainer.io"
|
dsl:
|
||||||
- "azurecr.io"
|
- 'contains(cname, "azure-api.net")'
|
||||||
- "azuredatalakestore.net"
|
- 'contains(cname, "azure-mobile.net")'
|
||||||
- "azureedge.net"
|
- 'contains(cname, "azurecontainer.io")'
|
||||||
- "azurefd.net"
|
- 'contains(cname, "azurecr.io")'
|
||||||
- "azurehdinsight.net"
|
- 'contains(cname, "azuredatalakestore.net")'
|
||||||
- "azurewebsites.net"
|
- 'contains(cname, "azureedge.net")'
|
||||||
- "azurewebsites.windows.net"
|
- 'contains(cname, "azurefd.net")'
|
||||||
- "blob.core.windows.net"
|
- 'contains(cname, "azurehdinsight.net")'
|
||||||
- "cloudapp.azure.com"
|
- 'contains(cname, "azurewebsites.net")'
|
||||||
- "cloudapp.net"
|
- 'contains(cname, "azurewebsites.windows.net")'
|
||||||
- "database.windows.net"
|
- 'contains(cname, "blob.core.windows.net")'
|
||||||
- "redis.cache.windows.net"
|
- 'contains(cname, "cloudapp.azure.com")'
|
||||||
- "search.windows.net"
|
- 'contains(cname, "cloudapp.net")'
|
||||||
- "servicebus.windows.net"
|
- 'contains(cname, "database.windows.net")'
|
||||||
- "trafficmanager.net"
|
- 'contains(cname, "redis.cache.windows.net")'
|
||||||
- "visualstudio.com"
|
- 'contains(cname, "search.windows.net")'
|
||||||
|
- 'contains(cname, "servicebus.windows.net")'
|
||||||
- type: word
|
- 'contains(cname, "trafficmanager.net")'
|
||||||
words:
|
- 'contains(cname, "visualstudio.com")'
|
||||||
- "NXDOMAIN"
|
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- cname
|
- cname
|
||||||
|
|
||||||
# digest: 4a0a00473045022043d1113417de308936591aa35f8175c25ad9d5b66b6d076fe0ba324450b1799e022100add5bb113b494d920eb39a99c107f2e7dff1979d482302e2580ff07e5857d9ff:922c64590222798bb761d5b6d8e72950
|
|
||||||
|
|
Loading…
Reference in New Issue