id: azure-takeover-detection info: name: Microsoft Azure Takeover Detection author: pdteam severity: high description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a D> reference: - https://godiego.co/posts/STO/ - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover - https://cystack.net/research/subdomain-takeover-chapter-two-azure-services/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-404 metadata: max-request: 1 tags: dns,takeover,azure dns: - name: "{{FQDN}}" type: A matchers-condition: and matchers: - type: word words: - NXDOMAIN - type: dsl dsl: - 'contains(cname, "azure-api.net")' - 'contains(cname, "azure-mobile.net")' - 'contains(cname, "azurecontainer.io")' - 'contains(cname, "azurecr.io")' - 'contains(cname, "azuredatalakestore.net")' - 'contains(cname, "azureedge.net")' - 'contains(cname, "azurefd.net")' - 'contains(cname, "azurehdinsight.net")' - 'contains(cname, "azurewebsites.net")' - 'contains(cname, "azurewebsites.windows.net")' - 'contains(cname, "blob.core.windows.net")' - 'contains(cname, "cloudapp.azure.com")' - 'contains(cname, "cloudapp.net")' - 'contains(cname, "database.windows.net")' - 'contains(cname, "redis.cache.windows.net")' - 'contains(cname, "search.windows.net")' - 'contains(cname, "servicebus.windows.net")' - 'contains(cname, "trafficmanager.net")' - 'contains(cname, "visualstudio.com")' extractors: - type: dsl dsl: - cname # digest: 4b0a00483046022100d68568731abdd8cfc97f8e47d3886209656605e7c73bfe62944a9d0d440bdd0d0221009fbd2c17dbd3f8faf9eae5e17223431a603a59249c6d151b36f22bbd4723ad6c:922c64590222798bb761d5b6d8e72950