diff --git a/dns/saas-service-detection.yaml b/dns/saas-service-detection.yaml new file mode 100644 index 0000000000..19d699f7e5 --- /dev/null +++ b/dns/saas-service-detection.yaml @@ -0,0 +1,380 @@ +id: saas-service-detection + +info: + name: dns saas service detection + author: noah @thesubtlety + severity: info + tags: dns + +dns: + - name: "{{FQDN}}" + type: CNAME + + - name: "{{FQDN}}" + type: A + + matchers-condition: or + matchers: + + - type: word + name: O365 + words: + - outlook.com + - office.com + + - type: word + name: Azure + words: + - "azure-api.net" + - "azure.com" + - "azure-mobile.net" + - "azurecontainer.io" + - "azurecr.io" + - "azuredatalakestore.net" + - "azureedge.net" + - "azurefd.net" + - "azurehdinsight.net" + - "azurewebsites.net" + - "azurewebsites.windows.net" + - "blob.core.windows.net" + - "cloudapp.azure.com" + - "cloudapp.net" + - "database.windows.net" + - "redis.cache.windows.net" + - "search.windows.net" + - "servicebus.windows.net" + - "visualstudio.com" + - "-msedge.net" + - "trafficmanager.net" + + - type: word + name: zendesk + words: + - "zendesk.com" + + - type: word + name: announcekit + words: + - "cname.announcekit.app" + + - type: word + name: wix + words: + - "wixdns.net" + + - type: word + name: Akamai CDN + condition: or + words: + - akadns.net + - akagtm.org + - akahost.net + - akam.net + - akamai.com + - akamai.net + - akamaiedge-staging.net + - akamaiedge.net + - akamaientrypoint.net + - akamaihd.net + - akamaistream.net + - akamaitech.net + - akamaitechnologies.com + - akamaitechnologies.fr + - akamaized.net + - akaquill.net + - akasecure.net + - akasripcn.net + - edgekey.net + - edgesuite.net + + - type: word + name: Cloudflare CDN + words: + - cloudflare.net + - cloudflare-dm-cmpimg.com + - cloudflare-ipfs.com + - cloudflare-quic.com + - cloudflare-terms-of-service-abuse.com + - cloudflare.com + - cloudflare.net + - cloudflare.tv + - cloudflareaccess.com + - cloudflareclient.com + - cloudflareinsights.com + - cloudflareok.com + - cloudflareportal.com + - cloudflareresolve.com + - cloudflaressl.com + - cloudflarestatus.com + - sn-cloudflare.com + + - type: word + name: Amazon CloudFront + words: + - cloudfront.net + + - type: word + name: Salesforce + words: + - salesforce.com + - siteforce.com + - force.com + + - type: word + name: Amazon AWS + words: + - amazonaws.com + - elasticbeanstalk.com + - awsglobalaccelerator.com + + - type: word + name: Fastly CDN + words: + - fastly.net + + - type: word + name: Netlify + words: + - netlify.app + - netlify.com + - netlifyglobalcdn.com + + - type: word + name: Vercel + words: + - vercel.app + + - type: word + name: Sendgrid + words: + - sendgrid.net + - sendgrid.com + + - type: word + name: Qualtrics + words: + - qualtrics.com + + - type: word + name: Heroku + words: + - herokuapp.com + - herokucdn.com + - herokudns.com + - herokussl.com + - herokuspace.com + + - type: word + name: Gitlab + words: + - gitlab.com + - gitlab.io + + - type: word + name: Perforce Akana + words: + - akana.com + - apiportal.akana.com + + - type: word + name: Skilljar + words: + - skilljarapp.com + + - type: word + name: Datagrail + words: + - datagrail.io + + - type: word + name: Platform.sh + words: + - platform.sh + + - type: word + name: Folloze + words: + - folloze.com + + - type: word + name: Pendo/Receptive + words: + - receptive.io + - pendo.io + + - type: word + name: Discourse + words: + - bydiscourse.com + - discourse-cdn.com + - discourse.cloud + - discourse.org + - hosted-by-discourse.com + + - type: word + name: Adobe Marketo + words: + - marketo.com + - marketo.co.uk + - mktoweb.com + - mktossl.com + - mktoweb.com + + - type: regex + name: Adobe Marketo + regex: + - 'mkto-.{5,8}\.com' + + - type: word + name: Adobe Marketo + words: + - marketo.com + + - type: word + name: Rock Content + words: + - postclickmarketing.com + - rockcontent.com + - rockstage.io + + - type: word + name: Rocketlane + words: + - rocketlane.com + + - type: word + name: Webflow + words: + - proxy-ssl.webflow.com + + - type: word + name: Stacker HQ + words: + - stacker.app + + - type: word + name: HubSpot + words: + - hs-analytics.net + - hs-banner.com + - hs-scripts.com + - hsappstatic.net + - hscollectedforms.net + - hscoscdn00.net + - hscoscdn10.net + - hscoscdn20.net + - hscoscdn30.net + - hscoscdn40.net + - hsforms.com + - hsforms.net + - hubapi.com + - hubspot.com + - hubspot.es + - hubspot.net + - hubspotemail.net + - hubspotlinks.com + - hubspotusercontent-na1.net + - sidekickopen90.com + - usemessages.com + + - type: word + name: Gitbook + words: + - gitbook.com + - gitbook.io + + - type: word + name: Google Firebase + words: + - fcm.googleapis.com + - firebase.com + - firebase.google.com + - firebase.googleapis.com + - firebaseapp.com + - firebaseappcheck.googleapis.com + - firebasedynamiclinks-ipv4.googleapis.com + - firebasedynamiclinks-ipv6.googleapis.com + - firebasedynamiclinks.googleapis.com + - firebaseinappmessaging.googleapis.com + - firebaseinstallations.googleapis.com + - firebaseio.com + - firebaselogging-pa.googleapis.com + - firebaselogging.googleapis.com + - firebaseperusertopics-pa.googleapis.com + - firebaseremoteconfig.googleapis.com + + - type: word + name: Zendesk + words: + - zdassets.com + - zdorigin.com + - zendesk.com + - zopim.com + + - type: word + name: Imperva + words: + - incapdns.net + - incapsula.com + + - type: word + name: proofpoint + words: + - infoprtct.com + - metanetworks.com + - ppe-hosted.com + - pphosted.com + - proofpoint.com + + - type: word + name: Q4 Investor Relations + words: + - q4inc.com + - q4ir.com + - q4web.com + + - type: word + name: Google Hosted + words: + - appspot.com + - cloudfunctions.net + - ghs.googlehosted.com + - ghs4.googlehosted.com + - ghs46.googlehosted.com + - ghs6.googlehosted.com + - googlehosted.com + - googlehosted.l.googleusercontent.com + - run.app + + - type: word + name: WP Engine + words: + - wpengine.com + + - type: word + name: GitHub + words: + - github.com + - github.io + - githubusercontent.com + + - type: word + name: Ghost + words: + - ghost.io + + - type: word + name: Digital Oceang + words: + - ondigitalocean.app + + - type: word + name: Type Dream + words: + - ontypedream.com + + - type: word + name: Oracle Eloqua Marketing + words: + - hs.eloqua.com + \ No newline at end of file