From 198217504d5e23b7c34d2f5a5ad4835f5e6a7fc1 Mon Sep 17 00:00:00 2001
From: Philippe Delteil <pdelteil@gmail.com>
Date: Fri, 10 May 2024 05:34:53 -0500
Subject: [PATCH] Update azure-takeover-detection.yaml

Is better to check for the CNAME values instead of words in the response. A lot of false positives appear if they contain on of the terms to match, example: azurewebsites.net.reddog.microsoft.com
---
 dns/azure-takeover-detection.yaml | 50 ++++++++++++++-----------------
 1 file changed, 23 insertions(+), 27 deletions(-)

diff --git a/dns/azure-takeover-detection.yaml b/dns/azure-takeover-detection.yaml
index c7c350400ae..fdddd8cff08 100644
--- a/dns/azure-takeover-detection.yaml
+++ b/dns/azure-takeover-detection.yaml
@@ -4,7 +4,7 @@ info:
   name: Microsoft Azure Takeover Detection
   author: pdteam
   severity: high
-  description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a DNS record points to a deprovisioned Azure resource.
+  description: Microsoft Azure is vulnerable to subdomain takeover attacks. Subdomain takeovers are a common, high-severity threat for organizations that regularly create and delete many resources. A subdomain takeover can occur when a D>
   reference:
     - https://godiego.co/posts/STO/
     - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
@@ -25,33 +25,29 @@ dns:
     matchers:
       - type: word
         words:
-          - "azure-api.net"
-          - "azure-mobile.net"
-          - "azurecontainer.io"
-          - "azurecr.io"
-          - "azuredatalakestore.net"
-          - "azureedge.net"
-          - "azurefd.net"
-          - "azurehdinsight.net"
-          - "azurewebsites.net"
-          - "azurewebsites.windows.net"
-          - "blob.core.windows.net"
-          - "cloudapp.azure.com"
-          - "cloudapp.net"
-          - "database.windows.net"
-          - "redis.cache.windows.net"
-          - "search.windows.net"
-          - "servicebus.windows.net"
-          - "trafficmanager.net"
-          - "visualstudio.com"
-
-      - type: word
-        words:
-          - "NXDOMAIN"
-
+          - NXDOMAIN
+      - type: dsl
+        dsl:
+          - 'contains(cname, "azure-api.net")'
+          - 'contains(cname, "azure-mobile.net")'
+          - 'contains(cname, "azurecontainer.io")'
+          - 'contains(cname, "azurecr.io")'
+          - 'contains(cname, "azuredatalakestore.net")'
+          - 'contains(cname, "azureedge.net")'
+          - 'contains(cname, "azurefd.net")'
+          - 'contains(cname, "azurehdinsight.net")'
+          - 'contains(cname, "azurewebsites.net")'
+          - 'contains(cname, "azurewebsites.windows.net")'
+          - 'contains(cname, "blob.core.windows.net")'
+          - 'contains(cname, "cloudapp.azure.com")'
+          - 'contains(cname, "cloudapp.net")'
+          - 'contains(cname, "database.windows.net")'
+          - 'contains(cname, "redis.cache.windows.net")'
+          - 'contains(cname, "search.windows.net")'
+          - 'contains(cname, "servicebus.windows.net")'
+          - 'contains(cname, "trafficmanager.net")'
+          - 'contains(cname, "visualstudio.com")'
     extractors:
       - type: dsl
         dsl:
           - cname
-
-# digest: 4a0a00473045022043d1113417de308936591aa35f8175c25ad9d5b66b6d076fe0ba324450b1799e022100add5bb113b494d920eb39a99c107f2e7dff1979d482302e2580ff07e5857d9ff:922c64590222798bb761d5b6d8e72950