Virtual Private Networks such as NordVPN, ExpressVPN, CyberGhost, Surfshark, and ProtonVPN are advertised as tools to enhance internet security. Often, VPN activity is expected from end users seeking to “improve” their privacy. Attackers will often leverage these services to launch attacks that could go undetected. Seeing an IP address from a VPN provider appears far less suspicious than an IP hosted in the Russian Federation.
Hunting for VPN activity can help identify potentially compromised cloud accounts. This post aims to assist in detecting private VPN activity from known VPN providers. It is directed toward Microsoft Sentinel hunting but could be leveraged in any SIEM application.
This initial query utilizes Microsoft’s automatic proxy detection feature in the CloudAppEvents index to identify instances where Microsoft flags activity as proxy-related. While this detection isn’t always perfect, it can be effective in certain cases.
CloudAppEvents
| where IPTags contains "Anonymous proxy"This second query utilizes a publicly available GitHub repository that contains a list of IP ranges used by VPN providers. I do not own or maintain this repository. While this list can enhance detection accuracy, it may also introduce false positives due to its community-maintained nature. Additionally, there is a risk of abandonment in the future.
let IPlist = externaldata (network: string)[@"https://raw.githubusercontent.com/X4BNet/lists_vpn/main/ipv4.txt"] with (format='txt');
SigninLogs
| evaluate ipv4_lookup(IPlist, IPAddress, network)If your environment allows, you may be able to enable these detections for your security analysts to investigate. However, depending on the size of your organization and the number of users utilizing VPN providers, this could become difficult to manage.
At a minimum, it would be wise to monitor for unexpected or new VPN activity alongside other suspicious behaviors, such as password changes, mass downloads of OneDrive/SharePoint data, and the creation of mail forwarding rules.
Happy hunting!
Leave a Reply