T1599 Microsoft Sentinel · KQL

Detect Network Boundary Bridging in Microsoft Sentinel

This detection identifies adversary activity consistent with MITRE ATT&CK T1599 (Network Boundary Bridging), where threat actors compromise perimeter network devices — routers, firewalls, or internal segmentation appliances — and reconfigure them to allow prohibited traffic to cross trust boundaries. Detection focuses on unauthorized ACL modifications, NAT rule changes, routing table manipulation, and firewall policy changes sourced from network device syslog and configuration audit trails ingested into SIEM. Because this technique targets network infrastructure rather than endpoints, primary telemetry comes from CommonSecurityLog (CEF-formatted device logs), Syslog, and network device AAA/TACACS+ audit streams. High-severity modifications include permit-any rules, deletion of blocking ACLs, addition of bypass NAT entries, and introduction of static routes to previously isolated segments.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1599 Network Boundary Bridging
Canonical reference
https://attack.mitre.org/techniques/T1599/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousKeywords = dynamic(["permit ip any any", "no access-list", "access-group removed", "nat bypass", "ip route 0.0.0.0", "no ip access-group", "access-list extended permit", "shutdown", "policy deleted", "rule removed", "bypass", "clear access-list", "no firewall"]);
let NetworkVendors = dynamic(["Cisco", "Palo Alto Networks", "Fortinet", "Check Point", "Juniper Networks", "SonicWall", "WatchGuard", "F5", "Barracuda"]);
CommonSecurityLog
| where DeviceVendor in~ (NetworkVendors)
| where Activity has_any ("ACL-change", "config-change", "policy-change", "route-change", "nat-change", "firewall-change", "configuration")
    or Message has_any (SuspiciousKeywords)
| where DeviceAction !in~ ("deny", "blocked", "drop", "reject")
| extend ChangeType = case(
    Message has_any ("access-list", "ACL", "access-group"), "ACL_Modification",
    Message has_any ("nat", "NAT", "overload"), "NAT_Rule_Change",
    Message has_any ("ip route", "route add", "static route", "gateway"), "Route_Modification",
    Message has_any ("policy", "rule", "filter"), "Policy_Change",
    Message has_any ("shutdown", "no shutdown", "interface"), "Interface_Change",
    "Other"
)
| extend RiskScore = case(
    Message has "permit ip any any", 100,
    Message has "no access-list", 95,
    Message has "nat bypass", 95,
    Message has "ip route 0.0.0.0", 90,
    Message has "access-group removed", 85,
    Message has "clear access-list", 80,
    Message has "policy deleted", 75,
    70
)
| where RiskScore >= 75
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAddress, ChangeType, RiskScore, Activity, Message, SourceUserName, SourceIP, Computer
| order by RiskScore desc, TimeGenerated desc
high severity medium confidence

Detects unauthorized or suspicious configuration changes on perimeter network devices by querying CommonSecurityLog for CEF-formatted events from firewalls and routers. Focuses on ACL deletions or permit-any rules, NAT bypass entries, static route additions to isolated segments, and policy removals — all of which could allow prohibited traffic to cross trust boundaries. Risk-scored to surface highest-severity changes first.

Data Sources

Microsoft Sentinel - CommonSecurityLog (CEF)Microsoft Sentinel - Syslog

Required Tables

CommonSecurityLog

False Positives & Tuning

  • Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
  • Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
  • Security operations performing penetration test or red team exercises with pre-authorized network changes
  • Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs
Download portable Sigma rule (.yml)

Other platforms for T1599

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add iptables rule to permit forwarding between network segments on Linux firewall

    Expected signal: Syslog events showing iptables rule addition, kernel sysctl change in /proc/sys/net/ipv4/ip_forward, auditd records if audit rules on iptables binary, and Linux auth logs showing sudo elevation.

  2. Test 2Add static route to bridge isolated network segment on Linux router

    Expected signal: Auditd records of 'ip route' command execution, kernel routing table modification in /proc/net/route, syslog if routing daemon is logging, and file modification event on /etc/network/routes.

  3. Test 3Flush iptables security rules to allow all inter-segment traffic

    Expected signal: Syslog or auditd records capturing: (1) iptables -F FORWARD command execution with sudo, (2) iptables -P FORWARD ACCEPT policy change, (3) sysctl net.ipv4.ip_forward=1. If network device sends SNMP traps, a linkDown/warmStart trap may fire.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1599 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (1)

Related Techniques

T1599.001Network Address Translation TraversalT1090.003Multi-hop ProxyT1020.001Traffic DuplicationT1090.001Internal ProxyT1021.001Remote Desktop ProtocolT1556.003Pluggable Authentication ModulesT1110Brute Force

Same Tactic: Defense Evasion

Popular Detections