437 lines
9.4 KiB
YAML
437 lines
9.4 KiB
YAML
id: dns-saas-service-detection
|
|
|
|
info:
|
|
name: DNS SaaS Service Detection
|
|
author: noah @thesubtlety,pdteam
|
|
severity: info
|
|
description: A CNAME DNS record was discovered
|
|
reference:
|
|
- https://ns1.com/resources/cname
|
|
- https://www.theregister.com/2021/02/24/dns_cname_tracking/
|
|
- https://www.ionos.com/digitalguide/hosting/technical-matters/cname-record/
|
|
metadata:
|
|
max-request: 1
|
|
tags: dns,service
|
|
|
|
dns:
|
|
- name: "{{FQDN}}"
|
|
type: CNAME
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- cname
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: word
|
|
part: answer
|
|
name: ms-office
|
|
words:
|
|
- outlook.com
|
|
- office.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: azure
|
|
words:
|
|
- "azure-api.net"
|
|
- "azure.com"
|
|
- "azure-mobile.net"
|
|
- "azurecontainer.io"
|
|
- "azurecr.io"
|
|
- "azuredatalakestore.net"
|
|
- "azureedge.net"
|
|
- "azurefd.net"
|
|
- "azurehdinsight.net"
|
|
- "azurewebsites.net"
|
|
- "azurewebsites.windows.net"
|
|
- "blob.core.windows.net"
|
|
- "cloudapp.azure.com"
|
|
- "cloudapp.net"
|
|
- "database.windows.net"
|
|
- "redis.cache.windows.net"
|
|
- "search.windows.net"
|
|
- "servicebus.windows.net"
|
|
- "visualstudio.com"
|
|
- "-msedge.net"
|
|
- "trafficmanager.net"
|
|
|
|
- type: word
|
|
part: answer
|
|
name: zendesk
|
|
words:
|
|
- "zendesk.com"
|
|
|
|
- type: word
|
|
part: answer
|
|
name: announcekit
|
|
words:
|
|
- "cname.announcekit.app"
|
|
|
|
- type: word
|
|
part: answer
|
|
name: wix
|
|
words:
|
|
- "wixdns.net"
|
|
|
|
- type: word
|
|
part: answer
|
|
name: akamai-cdn
|
|
words:
|
|
- akadns.net
|
|
- akagtm.org
|
|
- akahost.net
|
|
- akam.net
|
|
- akamai.com
|
|
- akamai.net
|
|
- akamaiedge-staging.net
|
|
- akamaiedge.net
|
|
- akamaientrypoint.net
|
|
- akamaihd.net
|
|
- akamaistream.net
|
|
- akamaitech.net
|
|
- akamaitechnologies.com
|
|
- akamaitechnologies.fr
|
|
- akamaized.net
|
|
- akaquill.net
|
|
- akasecure.net
|
|
- akasripcn.net
|
|
- edgekey.net
|
|
- edgesuite.net
|
|
|
|
- type: word
|
|
part: answer
|
|
name: cloudflare-cdn
|
|
words:
|
|
- cloudflare.net
|
|
- cloudflare-dm-cmpimg.com
|
|
- cloudflare-ipfs.com
|
|
- cloudflare-quic.com
|
|
- cloudflare-terms-of-service-abuse.com
|
|
- cloudflare.com
|
|
- cloudflare.net
|
|
- cloudflare.tv
|
|
- cloudflareaccess.com
|
|
- cloudflareclient.com
|
|
- cloudflareinsights.com
|
|
- cloudflareok.com
|
|
- cloudflareportal.com
|
|
- cloudflareresolve.com
|
|
- cloudflaressl.com
|
|
- cloudflarestatus.com
|
|
- sn-cloudflare.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: amazon-cloudfront
|
|
words:
|
|
- cloudfront.net
|
|
|
|
- type: word
|
|
part: answer
|
|
name: salesforce
|
|
words:
|
|
- salesforce.com
|
|
- siteforce.com
|
|
- force.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: amazon-aws
|
|
words:
|
|
- amazonaws.com
|
|
- elasticbeanstalk.com
|
|
- awsglobalaccelerator.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: fastly-cdn
|
|
words:
|
|
- fastly.net
|
|
|
|
- type: word
|
|
part: answer
|
|
name: netlify
|
|
words:
|
|
- netlify.app
|
|
- netlify.com
|
|
- netlifyglobalcdn.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: vercel
|
|
words:
|
|
- vercel.app
|
|
|
|
- type: word
|
|
part: answer
|
|
name: sendgrid
|
|
words:
|
|
- sendgrid.net
|
|
- sendgrid.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: qualtrics
|
|
words:
|
|
- qualtrics.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: heroku
|
|
words:
|
|
- herokuapp.com
|
|
- herokucdn.com
|
|
- herokudns.com
|
|
- herokussl.com
|
|
- herokuspace.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: gitlab
|
|
words:
|
|
- gitlab.com
|
|
- gitlab.io
|
|
|
|
- type: word
|
|
part: answer
|
|
name: perforce-akana
|
|
words:
|
|
- akana.com
|
|
- apiportal.akana.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: skilljar
|
|
words:
|
|
- skilljarapp.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: datagrail
|
|
words:
|
|
- datagrail.io
|
|
|
|
- type: word
|
|
part: answer
|
|
name: platform.sh
|
|
words:
|
|
- platform.sh
|
|
|
|
- type: word
|
|
part: answer
|
|
name: folloze
|
|
words:
|
|
- folloze.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: pendo-receptive
|
|
words:
|
|
- receptive.io
|
|
- pendo.io
|
|
|
|
- type: word
|
|
part: answer
|
|
name: discourse
|
|
words:
|
|
- bydiscourse.com
|
|
- discourse-cdn.com
|
|
- discourse.cloud
|
|
- discourse.org
|
|
- hosted-by-discourse.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: adobe-marketo
|
|
words:
|
|
- marketo.com
|
|
- marketo.co.uk
|
|
- mktoweb.com
|
|
- mktossl.com
|
|
- mktoweb.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: adobe-marketo
|
|
- 'mkto-.{5,8}\.com'
|
|
|
|
- type: word
|
|
part: answer
|
|
name: adobe-marketo
|
|
words:
|
|
- marketo.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: rock-content
|
|
words:
|
|
- postclickmarketing.com
|
|
- rockcontent.com
|
|
- rockstage.io
|
|
|
|
- type: word
|
|
part: answer
|
|
name: rocketlane
|
|
words:
|
|
- rocketlane.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: webflow
|
|
words:
|
|
- proxy-ssl.webflow.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: stacker-hq
|
|
words:
|
|
- stacker.app
|
|
|
|
- type: word
|
|
part: answer
|
|
name: hubspot
|
|
words:
|
|
- hs-analytics.net
|
|
- hs-banner.com
|
|
- hs-scripts.com
|
|
- hsappstatic.net
|
|
- hscollectedforms.net
|
|
- hscoscdn00.net
|
|
- hscoscdn10.net
|
|
- hscoscdn20.net
|
|
- hscoscdn30.net
|
|
- hscoscdn40.net
|
|
- hsforms.com
|
|
- hsforms.net
|
|
- hubapi.com
|
|
- hubspot.com
|
|
- hubspot.es
|
|
- hubspot.net
|
|
- hubspotemail.net
|
|
- hubspotlinks.com
|
|
- hubspotusercontent-na1.net
|
|
- sidekickopen90.com
|
|
- usemessages.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: gitbook
|
|
words:
|
|
- gitbook.com
|
|
- gitbook.io
|
|
|
|
- type: word
|
|
part: answer
|
|
name: google-firebase
|
|
words:
|
|
- fcm.googleapis.com
|
|
- firebase.com
|
|
- firebase.google.com
|
|
- firebase.googleapis.com
|
|
- firebaseapp.com
|
|
- firebaseappcheck.googleapis.com
|
|
- firebasedynamiclinks-ipv4.googleapis.com
|
|
- firebasedynamiclinks-ipv6.googleapis.com
|
|
- firebasedynamiclinks.googleapis.com
|
|
- firebaseinappmessaging.googleapis.com
|
|
- firebaseinstallations.googleapis.com
|
|
- firebaseio.com
|
|
- firebaselogging-pa.googleapis.com
|
|
- firebaselogging.googleapis.com
|
|
- firebaseperusertopics-pa.googleapis.com
|
|
- firebaseremoteconfig.googleapis.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: zendesk
|
|
words:
|
|
- zdassets.com
|
|
- zdorigin.com
|
|
- zendesk.com
|
|
- zopim.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: imperva
|
|
words:
|
|
- incapdns.net
|
|
- incapsula.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: proofpoint
|
|
words:
|
|
- infoprtct.com
|
|
- metanetworks.com
|
|
- ppe-hosted.com
|
|
- pphosted.com
|
|
- proofpoint.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: q4-investor-relations
|
|
words:
|
|
- q4inc.com
|
|
- q4ir.com
|
|
- q4web.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: google-hosted
|
|
words:
|
|
- appspot.com
|
|
- cloudfunctions.net
|
|
- ghs.googlehosted.com
|
|
- ghs4.googlehosted.com
|
|
- ghs46.googlehosted.com
|
|
- ghs6.googlehosted.com
|
|
- googlehosted.com
|
|
- googlehosted.l.googleusercontent.com
|
|
- run.app
|
|
|
|
- type: word
|
|
part: answer
|
|
name: wp-engine
|
|
words:
|
|
- wpengine.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: github
|
|
words:
|
|
- github.com
|
|
- github.io
|
|
- githubusercontent.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: ghost
|
|
words:
|
|
- ghost.io
|
|
|
|
- type: word
|
|
part: answer
|
|
name: digital-ocean
|
|
words:
|
|
- ondigitalocean.app
|
|
|
|
- type: word
|
|
part: answer
|
|
name: typedream
|
|
words:
|
|
- ontypedream.com
|
|
|
|
- type: word
|
|
part: answer
|
|
name: oracle-eloqua-marketing
|
|
words:
|
|
- hs.eloqua.com
|
|
|
|
- type: regex
|
|
part: answer
|
|
regex:
|
|
- "IN\tCNAME\\t(.+)$"
|
|
- "IN\\s*CNAME\\t(.+)$"
|