Adjacent Discovery Capability with Chariot

Gaining a comprehensive understanding of the external assets in an environment is essential for accurately mapping the attack surface of our clients. If you don’t know something exists, you can’t attack or defend it. Identifying these adjacent assets with various capabilities is crucial for assisting IT departments looking to map their public external attack surface effectively.

What are the Adjacent Asset Discovery Capabilities?

Once a domain is supplied, adjacent asset discovery capabilities will kick off to identify associated GitHub organizations and adjacent domains related to it.

The GitHub Organization discovery capability works by querying the GitHub REST API with the parameters `type:org` with the second level domain (e.g., `praetorian` for `praetorian.com`). Chariot checks whether the GitHub blog value equals the supplied domain for each organization the API returns. If it is equivalent, Chariot creates a new asset of the identified GitHub repository. Once this asset is created, Chariot will perform additional GitHub capabilities, including user and repository enumeration, CI/CD checks, and secret scanning!

To identify adjacent domains, Chariot leverages three capabilities that query various data sources to determine with high confidence any domains owned by the client.

The Reverse WHOIS capability within Chariot queries a third-party historical DNS database, and to ensure any false positives aren’t reported, the capability filters domains to those with matching domains for the registrar email.

The Azure AD adjacent domain discovery capability, heavily leaning on the work of aadinternals, queries the Autodiscover service to identify additional domains within the same Azure AD tenancy and, from there, queries the realm to determine whether they are Federated or Managed. Some clients may exist within third-party managed Azure AD instances. However, out-of-scope domains may exit as Managed domains within the tenancy. Thus, Chariot currently limits assets added to the system to just Federated domains.

The SEC Edgar capability queries SEC government filings made by companies to identify any domains mentioned in financial filings. Daily Chariot will search all filings created within the last day for any new domains. When an account is provisioned, the capability searches all 10-K filings for the company, automatically helping Chariot to identify any companies from Mergers & Acquisitions. For example, in NASDAQ: BKNG’s 10-K filing, several adjacent domains are listed.