First version of subdomain takeover runbook

2026-02-27 18:52:18 +01:00 · 2021-09-01 16:25:01 +02:00
parent ec9d1d34ae
commit 3a348fc8b0
11 changed files with 810 additions and 187 deletions
--- a/Powershell/RunBooks/SubdomainTakeOverCheck.ps1
+++ b/Powershell/RunBooks/SubdomainTakeOverCheck.ps1
@@ -0,0 +1,89 @@
+
+$effectoryDomainPattern = "*.effectory.com"
+
+Import-Module Az.Accounts
+Import-Module Az.Websites
+Import-Module Az.FrontDoor
+Import-Module Az.Storage
+Import-Module Az.Cdn
+Import-Module Az.Network
+Import-Module Az.TrafficManager
+Import-Module Az.ContainerInstance
+Import-Module Az.Automation
+Import-Module Az.Resources
+Import-Module Effectory.Dns -Force
+Import-Module DnsClient
+
+# --------------------------------------------------------- Connect to Azure
+$connectionName = "AzureRunAsConnection"
+try
+{
+    # Get the connection "AzureRunAsConnection "
+    $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName       
+    $account = Connect-AzAccount `
+        -ServicePrincipal `
+        -TenantId $servicePrincipalConnection.TenantId `
+        -ApplicationId $servicePrincipalConnection.ApplicationId `
+        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
+    Write-Output ("Connected with Automation Account [$($account.Name)]")
+}
+catch {
+    if (!$servicePrincipalConnection)
+    {
+        throw "Connection $($connectionName) not found."
+    } 
+    else
+    {
+        Write-Error -Message $_.Exception
+        throw $_.Exception
+    }
+}
+
+# --------------------------------------------------------------- Get the connection string
+$connectionName = "RunbooksEffectory-StorageConnectionString"
+try
+{
+    $Cred = Get-AutomationPSCredential -Name $connectionName 
+    $connectionString = $cred.GetNetworkCredential().Password
+    Write-Output ("Retrieved connection string to Storage Account [$($cred.UserName)]")
+}
+catch {
+    if (!$connectionString)
+    {
+        throw "Connection $($connectionName) not found."
+    } 
+    else
+    {
+        Write-Error -Message $_.Exception
+        throw $_.Exception
+    }
+}
+
+try {
+    # --------------------------------------------------------------- Get the current resources
+    $subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled"
+
+    [EffectoryDomainNameCheck[]]$effectoryResources = @()
+
+    foreach ($subscription in $subscriptions) 
+    {
+        $items = Get-EffectoryDomainResources -subscriptionId $subscription.Id -effectoryDomainPattern $effectoryDomainPattern
+        $effectoryResources = $effectoryResources + $items
+    }
+
+    # --------------------------------------------------------------- Get and compare the previous resources to the current resources
+
+    $effectoryResourcesPrevious = Get-BlobEffectoryDomainResources -connectionString $connectionString
+    $hasErrors = VerifyEffectoryDomainResources  -effectoryDomainPattern $effectoryDomainPattern -effectoryResources $effectoryResources -effectoryResourcesPrevious $effectoryResourcesPrevious
+
+    if ($hasErrors -eq $false) {
+        Set-BlobEffectoryDomainResources -connectionString $connectionString -effectoryResources $effectoryResources
+    }
+    else {
+        throw "Found domains that could possibly be used for subdomain takeover. Check the log for details."
+    }
+}
+catch {
+    Write-Error -Message $_.Exception
+    throw $_.Exception
+}