Abstract

Microsoft Azure cloud has become the second-largest vendor by market share in the cloud infrastructure providers (as per multiple reports), just behind AWS. There are numerous tools and vulnerable applications available for AWS for the security professional to perform attack/defense practices, but it is not the case with Azure. There are far fewer options available to the community. AzureGoat is our attempt to shorten this gap.

In this talk, we will be introducing AzureGoat, a vulnerable by design infrastructure on the Azure cloud environment. AzureGoat will allow a user to do the following:

• Explore a vulnerable infrastructure hosted on an Azure account
• Exploring different ways to get a foothold into the environment, e.g., vulnerable web app, exposed endpoint, attached MSI
• Learn and practice different attacks by leveraging misconfigured Azure components like Virtual Machines, Storage Accounts, App Services, Databases, etc.
• Abusing Azure AD roles and permissions
• Auditing and fixing misconfiguration in IaC
• Redeploying the fixed/patched infrastructure

The user will be able to deploy AzureGoat on their Azure account using a pre-created Docker image and scripts. Once deployed, the AzureGoat can be used for target practice and be conveniently deleted later.

All the code and deployment scripts will be made open-source after the talk.