add dns saas

2022-12-20 22:28:37 -07:00 · 2022-12-20 22:28:37 -07:00 · 213b4c2702
parent ccbf3aed07
commit 213b4c2702
1 changed files with 380 additions and 0 deletions
--- a/dns/saas-service-detection.yaml
+++ b/dns/saas-service-detection.yaml
@ -0,0 +1,380 @@
+id: saas-service-detection
+
+info:
+  name: dns saas service detection
+  author: noah @thesubtlety
+  severity: info
+  tags: dns
+
+dns:
+  - name: "{{FQDN}}"
+    type: CNAME
+
+  - name: "{{FQDN}}"
+    type: A
+
+    matchers-condition: or
+    matchers:
+
+      - type: word
+        name: O365
+        words:
+          - outlook.com
+          - office.com
+
+      - type: word
+        name: Azure
+        words:
+          - "azure-api.net"
+          - "azure.com"
+          - "azure-mobile.net"
+          - "azurecontainer.io"
+          - "azurecr.io"
+          - "azuredatalakestore.net"
+          - "azureedge.net"
+          - "azurefd.net"
+          - "azurehdinsight.net"
+          - "azurewebsites.net"
+          - "azurewebsites.windows.net"
+          - "blob.core.windows.net"
+          - "cloudapp.azure.com"
+          - "cloudapp.net"
+          - "database.windows.net"
+          - "redis.cache.windows.net"
+          - "search.windows.net"
+          - "servicebus.windows.net"
+          - "visualstudio.com"
+          - "-msedge.net"
+          - "trafficmanager.net"
+      
+      - type: word
+        name: zendesk
+        words:
+          - "zendesk.com"
+
+      - type: word
+        name: announcekit
+        words:
+          - "cname.announcekit.app"
+
+      - type: word
+        name: wix
+        words:
+          - "wixdns.net"
+
+      - type: word
+        name: Akamai CDN
+        condition: or
+        words:
+          - akadns.net
+          - akagtm.org
+          - akahost.net
+          - akam.net
+          - akamai.com
+          - akamai.net
+          - akamaiedge-staging.net
+          - akamaiedge.net
+          - akamaientrypoint.net
+          - akamaihd.net
+          - akamaistream.net
+          - akamaitech.net
+          - akamaitechnologies.com
+          - akamaitechnologies.fr
+          - akamaized.net
+          - akaquill.net
+          - akasecure.net
+          - akasripcn.net
+          - edgekey.net
+          - edgesuite.net
+
+      - type: word
+        name: Cloudflare CDN
+        words:
+          - cloudflare.net
+          - cloudflare-dm-cmpimg.com
+          - cloudflare-ipfs.com
+          - cloudflare-quic.com
+          - cloudflare-terms-of-service-abuse.com
+          - cloudflare.com
+          - cloudflare.net
+          - cloudflare.tv
+          - cloudflareaccess.com
+          - cloudflareclient.com
+          - cloudflareinsights.com
+          - cloudflareok.com
+          - cloudflareportal.com
+          - cloudflareresolve.com
+          - cloudflaressl.com
+          - cloudflarestatus.com
+          - sn-cloudflare.com
+
+      - type: word
+        name: Amazon CloudFront
+        words:
+          - cloudfront.net
+
+      - type: word
+        name: Salesforce
+        words:
+          - salesforce.com
+          - siteforce.com
+          - force.com
+
+      - type: word
+        name: Amazon AWS
+        words:
+          - amazonaws.com
+          - elasticbeanstalk.com
+          - awsglobalaccelerator.com
+
+      - type: word
+        name: Fastly CDN
+        words:
+          - fastly.net
+
+      - type: word
+        name: Netlify
+        words:
+          - netlify.app
+          - netlify.com
+          - netlifyglobalcdn.com
+
+      - type: word
+        name: Vercel
+        words:
+          - vercel.app
+
+      - type: word
+        name: Sendgrid
+        words:
+          - sendgrid.net
+          - sendgrid.com
+
+      - type: word
+        name: Qualtrics
+        words:
+          - qualtrics.com
+
+      - type: word
+        name: Heroku
+        words:
+          - herokuapp.com
+          - herokucdn.com
+          - herokudns.com
+          - herokussl.com
+          - herokuspace.com
+
+      - type: word
+        name: Gitlab
+        words:
+          - gitlab.com
+          - gitlab.io
+
+      - type: word
+        name: Perforce Akana
+        words:
+          - akana.com
+          - apiportal.akana.com
+
+      - type: word
+        name: Skilljar
+        words:
+          - skilljarapp.com
+
+      - type: word
+        name: Datagrail
+        words:
+          - datagrail.io
+
+      - type: word
+        name: Platform.sh
+        words:
+          - platform.sh
+
+      - type: word
+        name: Folloze
+        words:
+          - folloze.com
+
+      - type: word
+        name: Pendo/Receptive
+        words:
+          - receptive.io
+          - pendo.io
+
+      - type: word
+        name: Discourse
+        words:
+          - bydiscourse.com
+          - discourse-cdn.com
+          - discourse.cloud
+          - discourse.org
+          - hosted-by-discourse.com
+
+      - type: word
+        name: Adobe Marketo
+        words:
+          - marketo.com
+          - marketo.co.uk
+          - mktoweb.com
+          - mktossl.com
+          - mktoweb.com
+
+      - type: regex
+        name: Adobe Marketo
+        regex: 
+          - 'mkto-.{5,8}\.com'
+
+      - type: word
+        name: Adobe Marketo
+        words:
+          - marketo.com
+
+      - type: word
+        name: Rock Content
+        words:
+          - postclickmarketing.com
+          - rockcontent.com
+          - rockstage.io
+
+      - type: word
+        name: Rocketlane
+        words:
+          - rocketlane.com
+
+      - type: word
+        name: Webflow
+        words:
+          - proxy-ssl.webflow.com
+
+      - type: word
+        name: Stacker HQ
+        words:
+          - stacker.app
+
+      - type: word
+        name: HubSpot
+        words:
+          - hs-analytics.net
+          - hs-banner.com
+          - hs-scripts.com
+          - hsappstatic.net
+          - hscollectedforms.net
+          - hscoscdn00.net
+          - hscoscdn10.net
+          - hscoscdn20.net
+          - hscoscdn30.net
+          - hscoscdn40.net
+          - hsforms.com
+          - hsforms.net
+          - hubapi.com
+          - hubspot.com
+          - hubspot.es
+          - hubspot.net
+          - hubspotemail.net
+          - hubspotlinks.com
+          - hubspotusercontent-na1.net
+          - sidekickopen90.com
+          - usemessages.com
+
+      - type: word
+        name: Gitbook
+        words:
+          - gitbook.com
+          - gitbook.io
+
+      - type: word
+        name: Google Firebase
+        words:
+          - fcm.googleapis.com
+          - firebase.com
+          - firebase.google.com
+          - firebase.googleapis.com
+          - firebaseapp.com
+          - firebaseappcheck.googleapis.com
+          - firebasedynamiclinks-ipv4.googleapis.com
+          - firebasedynamiclinks-ipv6.googleapis.com
+          - firebasedynamiclinks.googleapis.com
+          - firebaseinappmessaging.googleapis.com
+          - firebaseinstallations.googleapis.com
+          - firebaseio.com
+          - firebaselogging-pa.googleapis.com
+          - firebaselogging.googleapis.com
+          - firebaseperusertopics-pa.googleapis.com
+          - firebaseremoteconfig.googleapis.com
+
+      - type: word
+        name: Zendesk
+        words:
+          - zdassets.com
+          - zdorigin.com
+          - zendesk.com
+          - zopim.com
+
+      - type: word
+        name: Imperva
+        words:
+          - incapdns.net
+          - incapsula.com
+
+      - type: word
+        name: proofpoint
+        words:
+          - infoprtct.com
+          - metanetworks.com
+          - ppe-hosted.com
+          - pphosted.com
+          - proofpoint.com
+
+      - type: word
+        name: Q4 Investor Relations
+        words:
+          - q4inc.com
+          - q4ir.com
+          - q4web.com
+
+      - type: word
+        name: Google Hosted
+        words:
+          - appspot.com
+          - cloudfunctions.net
+          - ghs.googlehosted.com
+          - ghs4.googlehosted.com
+          - ghs46.googlehosted.com
+          - ghs6.googlehosted.com
+          - googlehosted.com
+          - googlehosted.l.googleusercontent.com
+          - run.app
+
+      - type: word
+        name: WP Engine
+        words:
+          - wpengine.com
+
+      - type: word
+        name: GitHub
+        words:
+          - github.com
+          - github.io
+          - githubusercontent.com
+
+      - type: word
+        name: Ghost
+        words:
+          - ghost.io
+
+      - type: word
+        name: Digital Oceang
+        words:
+          - ondigitalocean.app
+
+      - type: word
+        name: Type Dream
+        words:
+          - ontypedream.com
+
+      - type: word
+        name: Oracle Eloqua Marketing
+        words:
+          - hs.eloqua.com
+