services / Azure / DNS SRV record set

An authoritative DNS SRV record set within an Azure public DNS zone. SRV records advertise the host and port that back named services (e.g. SIP, LDAP, autodiscover) for the domain.

DNS record data is published and resolvable by design (public); write/delete control determines where service-discovery clients are routed.


Microsoft.​Network/​dnszones/​SRV/​write

Creating/replacing SRV records repoints service-discovery lookups to attacker-controlled hosts/ports, hijacking how clients locate and reach the domain's services.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Network
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog