T1599.001 Splunk · SPL

Detect Network Address Translation Traversal in Splunk

Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device rewrites source and/or destination addresses of the IP address header. An adversary who gains control of a network boundary device may modify NAT configurations to send traffic between two separated networks or to obscure their activities by changing the addresses of packets traversing the border device, making traffic monitoring more challenging for defenders. Adversaries may combine this technique with Patch System Image (T1601.001) to implement persistent custom NAT mechanisms within compromised device firmware.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1599 Network Boundary Bridging
Sub-technique
T1599.001 Network Address Translation Traversal
Canonical reference
https://attack.mitre.org/techniques/T1599/001/

SPL Detection Query

Splunk (SPL)
spl 
(index=network OR index=firewall) sourcetype IN ("syslog", "cisco:ios", "cisco:asa", "pan:log", "juniper:junos", "fortinet:fortigate:traffic", "fortinet:fortigate:event")
  (
    "ip nat inside" OR "ip nat outside" OR "ip nat static" OR
    "ip nat pool" OR "no ip nat" OR "NAT-CREATE" OR "NAT-DELETE" OR
    "nat rule" OR "nat policy" OR "nat translation" OR "nat overload"
  )
| eval NATOperation=case(
    match(_raw, "ip nat inside source"), "Inside Source NAT Configured",
    match(_raw, "ip nat outside source"), "Outside Source NAT Configured",
    match(_raw, "no ip nat"), "NAT Rule Removed",
    match(_raw, "ip nat static"), "Static NAT Configured",
    match(_raw, "ip nat pool"), "Dynamic NAT Pool Configured",
    match(_raw, "(?i)NAT-CREATE"), "NAT Translation Created",
    match(_raw, "(?i)NAT-DELETE"), "NAT Translation Deleted",
    match(_raw, "(?i)nat rule.{0,20}(add|creat|insert)"), "NAT Rule Added",
    match(_raw, "(?i)nat rule.{0,20}(delet|remov)"), "NAT Rule Deleted",
    match(_raw, "(?i)nat rule.{0,20}(modif|edit|chang)"), "NAT Rule Modified",
    true(), "NAT Configuration Event"
  )
| rex field=_raw "by\s+(?<ConfigUser>\S+)\s+on"
| rex field=_raw "on\s+(?<AccessMethod>console|vty\d+|aux\d+)"
| rex field=_raw "\((?<ConfigSourceIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)"
| eval IsHighRisk=if(
    match(_raw, "(?i)(no ip nat|NAT-DELETE|nat rule.{0,20}(delet|remov))") OR
    (isnull(ConfigUser) OR ConfigUser="") OR
    match(AccessMethod, "vty"),
    1, 0
  )
| eval IsAfterHours=if(
    (tonumber(strftime(_time, "%H")) < 6 OR tonumber(strftime(_time, "%H")) >= 22),
    1, 0
  )
| table _time, host, NATOperation, ConfigUser, AccessMethod, ConfigSourceIP, IsHighRisk, IsAfterHours, sourcetype, _raw
| sort - _time
high severity medium confidence

Detects NAT configuration changes on network devices by searching across Cisco IOS, Cisco ASA, Palo Alto, Juniper, and Fortinet sourcetypes for NAT-related keywords. Classifies the operation type (add/remove/modify), extracts the configuring user and access method via regex on raw syslog messages, and evaluates two risk dimensions: IsHighRisk=1 flags NAT rule removals (adversary cleanup), anonymous changes (no user attribution in the log), or remote VTY access from unexpected sources; IsAfterHours=1 flags changes outside 0600-2200 business hours. Both fields enable rapid analyst triage priority-setting.

Data Sources

Network Device: Network Device ConfigurationFirewall: Firewall Rule ModificationSyslogNetwork Device Audit Logs

Required Sourcetypes

syslogcisco:ioscisco:asapan:logjuniper:junosfortinet:fortigate:event

False Positives & Tuning

  • Authorized network engineers making planned NAT changes during approved change management windows
  • Automated configuration management tools (Ansible, Terraform, Cisco DNA Center) applying scheduled configuration changes
  • Network device reboots restoring startup configurations, triggering repeated NAT config log entries
  • Security testing teams running authorized penetration tests or network segmentation validation exercises
  • ISP or managed service provider technicians making authorized routing and NAT adjustments under a support agreement
Download portable Sigma rule (.yml)

Other platforms for T1599.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Linux iptables NAT Rule Addition — Simulate Cross-Segment Bridging

    Expected signal: Linux auditd: SYSCALL events for write() to /proc/sys/net/ipv4/ip_forward and execve() of /sbin/iptables with '-t nat -A' arguments. If auditd rules watch execve of iptables: USER_CMD or EXECVE audit events with args including '-t', 'nat', 'MASQUERADE', 'DNAT'. Syslog: kernel netfilter messages if kernel logging is enabled. SIEM: Syslog events from the host containing 'iptables' and 'nat' keywords matching the detection query.

  2. Test 2Linux nftables NAT Table Creation and Rule Insertion

    Expected signal: Linux auditd: execve() events for /usr/sbin/nft binary with arguments containing 'nat', 'masquerade', 'dnat'. Syslog: kernel netfilter messages if kernel logging configured. If auditd EXECVE rules watch nft: EXECVE records showing the full nft command arguments. SIEM: Syslog events from host matching 'nft' combined with 'nat' or 'masquerade'.

  3. Test 3Cisco IOS NAT Rule Injection via SSH Expect Script

    Expected signal: Cisco IOS syslog: SYS-5-CONFIG_I message — 'Configured from vty0 (ATTACKER_IP) by ADMIN_USER' — emitted immediately after the configuration session ends. TACACS+ accounting log (if enabled): command records for 'configure terminal', 'ip nat inside source static 10.10.0.100 203.0.113.100', and 'end' attributed to ADMIN_USER from the source IP. Device SSH log: accepted authentication event for ADMIN_USER from the expect script's source IP.

  4. Test 4Python Netmiko — Automated NAT Policy Modification on Network Device

    Expected signal: Cisco IOS syslog: SYS-5-CONFIG_I event — 'Configured from vty0 (SCRIPT_HOST_IP) by admin' — emitted when send_config_set() completes. TACACS+ accounting: individual command records for each NAT command sent by Netmiko, attributed to the admin account from the script host IP. Network device SSH connection logs: new SSH session from the Python script's host IP. SIEM: Syslog events containing 'ip nat' from the device coinciding with the SSH session from the non-NMS source IP.

Last updated: 2026-03-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1599.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1599Network Boundary Bridging

Related Techniques

T1599Network Boundary BridgingT1601.001Patch System ImageT1098Account ManipulationT1562.008Disable or Modify Cloud LogsT1021.004SSHT1110.004Credential StuffingT1040Network SniffingT1046Network Service Discovery

Same Tactic: Defense Evasion

Popular Detections