Mapping URLS

Like many other cloud providers, Azure features open URLs to each service to access individual tenant cloud environments. Different, however, is the wide number of base domains that these URLs have. NetSPI, an information security consultancy, has provided us with a reference list of useful endpoints and services that attackers can use for subdomain queries.

hey will then do one of two things that we should observe.

They will use CNAMEs to map a value like files.sec588.com and map it to sec588co.files.core.windows.
They will use a pattern like sec588co and use it across their infrastructure.

Given that many customer’s environments will be named based on a pattern, attackers or testers can conduct keyword queries like:

<keyword>.<azure subdomain>

Many of the shared services on Azure will have subdomain endpoints such as Exchange, SharePoint, Azure Files, and Azure App Services. Tools like the NetSPI Microburst take this into account when trying to enumerate services on Azure.

Reference and use https://www.github.com/assetnote/commonspeak2 and the word lists it generates https://wordlists.assetnote.io.

PreviousDiscovery NextInitial Access

Last updated 5 hours ago