id: azure-takeover-detection info: name: Microsoft Azure Takeover Detection author: pdteam severity: high description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a DNS record points to a deprovisioned Azure resource. reference: - https://godiego.co/posts/STO/ - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover - https://cystack.net/research/subdomain-takeover-chapter-two-azure-services/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-404 tags: dns,takeover,azure metadata: max-request: 1 dns: - name: "{{FQDN}}" type: A matchers-condition: and matchers: - type: word words: - "azure-api.net" - "azure-mobile.net" - "azurecontainer.io" - "azurecr.io" - "azuredatalakestore.net" - "azureedge.net" - "azurefd.net" - "azurehdinsight.net" - "azurewebsites.net" - "azurewebsites.windows.net" - "blob.core.windows.net" - "cloudapp.azure.com" - "cloudapp.net" - "database.windows.net" - "redis.cache.windows.net" - "search.windows.net" - "servicebus.windows.net" - "trafficmanager.net" - "visualstudio.com" - type: word words: - "NXDOMAIN" extractors: - type: regex group: 1 regex: - "IN\tCNAME\t(.+)"