Detect Network Address Translation Traversal in Microsoft Sentinel
Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device rewrites source and/or destination addresses of the IP address header. An adversary who gains control of a network boundary device may modify NAT configurations to send traffic between two separated networks or to obscure their activities by changing the addresses of packets traversing the border device, making traffic monitoring more challenging for defenders. Adversaries may combine this technique with Patch System Image (T1601.001) to implement persistent custom NAT mechanisms within compromised device firmware.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1599 Network Boundary Bridging
- Sub-technique
- T1599.001 Network Address Translation Traversal
- Canonical reference
- https://attack.mitre.org/techniques/T1599/001/
KQL Detection Query
let NATConfigPatterns = dynamic([
"ip nat inside source", "ip nat outside source", "ip nat static",
"ip nat pool", "no ip nat", "NAT-CREATE", "NAT-DELETE",
"nat rule added", "nat rule deleted", "nat rule modified",
"nat policy", "nat translation", "nat overload"
]);
// Source 1: On-premises network devices forwarding syslog to Sentinel
let SyslogNATChanges = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (NATConfigPatterns)
| extend ConfigUser = extract(@"by\s+(\S+)\s+on", 1, SyslogMessage)
| extend AccessMethod = extract(@"on\s+(console|vty\d+|aux\d+)", 1, SyslogMessage)
| extend SourceIP = extract(@"\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)", 1, SyslogMessage)
| extend IsConfigRemoval = SyslogMessage has_any ("no ip nat", "NAT-DELETE", "nat rule deleted", "nat rule removed")
| project TimeGenerated, DeviceHostname=HostName, DeviceIP=HostIP, EventMessage=SyslogMessage,
ConfigUser, AccessMethod, SourceIP, IsConfigRemoval, DataSource="Syslog";
// Source 2: CEF events from next-gen firewalls (Palo Alto, Cisco ASA, Fortinet) via CommonSecurityLog
let CEFNATChanges = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceEventCategory has_any ("nat", "NAT", "config", "policy-change")
| where Activity has_any (
"nat-rule-add", "nat-rule-delete", "nat-rule-edit",
"config-change", "nat-policy-update", "nat-translation-create",
"NAT rule created", "NAT rule removed", "NAT rule modified"
)
| extend IsConfigRemoval = Activity has_any ("delete", "removed", "nat-rule-delete")
| project TimeGenerated, DeviceHostname=DeviceName, DeviceIP=DeviceAddress, EventMessage=Message,
ConfigUser=DestinationUserName, AccessMethod="API/Console",
SourceIP=tostring(SourceIP), IsConfigRemoval, DataSource=DeviceVendor;
// Source 3: Azure NAT Gateway and Azure Firewall rule changes
let AzureNATChanges = AzureActivity
| where TimeGenerated > ago(24h)
| where ResourceProviderValue =~ "MICROSOFT.NETWORK"
| where OperationNameValue has_any (
"natGateways/write", "natGateways/delete",
"azureFirewalls/write",
"firewallPolicies/ruleCollectionGroups/write",
"firewallPolicies/ruleCollectionGroups/delete"
)
| where ActivityStatusValue =~ "Success"
| extend IsConfigRemoval = OperationNameValue has_any ("delete", "Delete")
| project TimeGenerated, DeviceHostname=ResourceGroup, DeviceIP=CallerIpAddress,
EventMessage=OperationNameValue, ConfigUser=Caller,
AccessMethod="Azure Portal/API", SourceIP=CallerIpAddress,
IsConfigRemoval, DataSource="AzureActivity";
// Combine all NAT change events across hybrid environment
union SyslogNATChanges, CEFNATChanges, AzureNATChanges
| sort by TimeGenerated descDetects NAT configuration changes across hybrid environments using three complementary data sources: (1) Syslog for on-premises network devices (Cisco IOS, Juniper JunOS) forwarding syslog to Sentinel — extracts configuring user, access method (console/VTY indicating local vs. remote), and source IP from SYS-5-CONFIG_I events; (2) CommonSecurityLog for CEF-formatted NAT policy modification events from Palo Alto, Cisco ASA, and Fortinet firewalls; (3) AzureActivity for cloud NAT Gateway and Azure Firewall rule changes. IsConfigRemoval=true flags NAT rule deletions, which may indicate adversary cleanup or config restoration to hide activity. The union approach ensures detection coverage across on-premises routers, firewalls, and cloud-managed network infrastructure.
Data Sources
Required Tables
False Positives & Tuning
- Authorized network engineers making planned NAT changes during approved change management windows — correlate against change tickets before escalating
- Automated configuration management tools (Ansible, Terraform, Cisco DNA Center, NetBox) applying approved network configurations on a scheduled basis
- Cloud infrastructure automation scripts creating or modifying Azure NAT Gateways as part of normal CI/CD deployment pipelines
- Network device reboots restoring previously configured NAT rules that trigger repeated SYS-5-CONFIG_I log events from startup config application
- Managed service providers or ISP technicians making authorized routing or NAT adjustments under a support contract — verify against vendor change notifications
Other platforms for T1599.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Linux iptables NAT Rule Addition — Simulate Cross-Segment Bridging
Expected signal: Linux auditd: SYSCALL events for write() to /proc/sys/net/ipv4/ip_forward and execve() of /sbin/iptables with '-t nat -A' arguments. If auditd rules watch execve of iptables: USER_CMD or EXECVE audit events with args including '-t', 'nat', 'MASQUERADE', 'DNAT'. Syslog: kernel netfilter messages if kernel logging is enabled. SIEM: Syslog events from the host containing 'iptables' and 'nat' keywords matching the detection query.
- Test 2Linux nftables NAT Table Creation and Rule Insertion
Expected signal: Linux auditd: execve() events for /usr/sbin/nft binary with arguments containing 'nat', 'masquerade', 'dnat'. Syslog: kernel netfilter messages if kernel logging configured. If auditd EXECVE rules watch nft: EXECVE records showing the full nft command arguments. SIEM: Syslog events from host matching 'nft' combined with 'nat' or 'masquerade'.
- Test 3Cisco IOS NAT Rule Injection via SSH Expect Script
Expected signal: Cisco IOS syslog: SYS-5-CONFIG_I message — 'Configured from vty0 (ATTACKER_IP) by ADMIN_USER' — emitted immediately after the configuration session ends. TACACS+ accounting log (if enabled): command records for 'configure terminal', 'ip nat inside source static 10.10.0.100 203.0.113.100', and 'end' attributed to ADMIN_USER from the source IP. Device SSH log: accepted authentication event for ADMIN_USER from the expect script's source IP.
- Test 4Python Netmiko — Automated NAT Policy Modification on Network Device
Expected signal: Cisco IOS syslog: SYS-5-CONFIG_I event — 'Configured from vty0 (SCRIPT_HOST_IP) by admin' — emitted when send_config_set() completes. TACACS+ accounting: individual command records for each NAT command sent by Netmiko, attributed to the admin account from the script host IP. Network device SSH connection logs: new SSH session from the Python script's host IP. SIEM: Syslog events containing 'ip nat' from the device coinciding with the SSH session from the non-NMS source IP.
References (11)
- https://attack.mitre.org/techniques/T1599/001/
- https://tools.ietf.org/html/rfc1918
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-addr-consrvtn.html
- https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/syslog
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
- https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
- https://github.com/ktbyers/netmiko
- https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-strong-security-controls-network-infrastructure-devices-508c.pdf
Unlock Pro Content
Get the full detection package for T1599.001 including response playbook, investigation guide, and atomic red team tests.