Adversaries may establish connections to non-corporate private networks to exfiltrate data or maintain persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data theft attempts originating from compromised endpoints.
KQL Query
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')
| project TimeGenerated, SrcIpAddr, Identities
id: c9b6d281-b96b-4763-b728-9a04b9fe1246
name: Cisco Umbrella - Connection to non-corporate private network
description: |
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
- Exfiltration
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')
| project TimeGenerated, SrcIpAddr, Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Identities
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.1
kind: Scheduled
Scenario: Remote Desktop Session to Home Network
Description: An employee connects to their home network via a remote desktop session to access personal files or a home server.
Filter/Exclusion: Exclude traffic originating from known remote desktop tools (e.g., mstsc.exe, rdesktop, xfreerdp) or filter based on the source IP being a known home IP range (e.g., 192.168.0.0/16).
Scenario: Scheduled Backup Job to Home NAS
Description: A scheduled backup job runs nightly to a personal Network Attached Storage (NAS) device located on the employee’s home network.
Filter/Exclusion: Exclude traffic associated with backup tools (e.g., rsync, Veeam, Duplicity) or filter based on the destination IP being a known home IP range (e.g., 10.0.0.0/8).
Scenario: Admin Access to Home Lab for Development
Description: A system administrator accesses a home lab environment for development or testing purposes.
Filter/Exclusion: Exclude traffic from admin tools (e.g., SSH, VNC, TeamViewer) or filter based on the destination IP being a known home IP range (e.g., 172.16.0.0/12).
Scenario: Corporate Network Access to Home Printer
Description: An employee connects to a home printer from the corporate network to print a document.
Filter/Exclusion: Exclude traffic to known printer IP ranges (e.g., 192.168.1.0/24) or filter based on the application (e.g., ipp, lpd protocols).
Scenario: Cloud Service Integration with Home Network