T1599 Splunk · SPL

Detect Network Boundary Bridging in Splunk

This detection identifies adversary activity consistent with MITRE ATT&CK T1599 (Network Boundary Bridging), where threat actors compromise perimeter network devices — routers, firewalls, or internal segmentation appliances — and reconfigure them to allow prohibited traffic to cross trust boundaries. Detection focuses on unauthorized ACL modifications, NAT rule changes, routing table manipulation, and firewall policy changes sourced from network device syslog and configuration audit trails ingested into SIEM. Because this technique targets network infrastructure rather than endpoints, primary telemetry comes from CommonSecurityLog (CEF-formatted device logs), Syslog, and network device AAA/TACACS+ audit streams. High-severity modifications include permit-any rules, deletion of blocking ACLs, addition of bypass NAT entries, and introduction of static routes to previously isolated segments.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1599 Network Boundary Bridging
Canonical reference
https://attack.mitre.org/techniques/T1599/

SPL Detection Query

Splunk (SPL)
spl 
index=network (sourcetype=syslog OR sourcetype=cisco:ios OR sourcetype=cisco:asa OR sourcetype=pan:log OR sourcetype=juniper:junos)
| search ("access-list" OR "acl" OR "permit ip any" OR "no access-group" OR "nat" OR "ip route" OR "static-route" OR "firewall rule" OR "policy" OR "config" OR "shutdown")
| search NOT ("Deny" OR "denied" OR "blocked" OR "drop" OR "reject")
| rex field=_raw "(?i)%(?P<facility>[A-Z0-9_-]+)-(?P<severity>[0-7])-(?P<mnemonic>[A-Z0-9_]+):"
| rex field=_raw "(?i)(?P<change_keyword>access-list|access-group|nat overload|ip route|policy|firewall rule|no shutdown|shutdown)"
| eval risk_score=case(
    like(lower(_raw), "%permit ip any any%"), 100,
    like(lower(_raw), "%no access-list%"), 95,
    like(lower(_raw), "%nat bypass%"), 95,
    like(lower(_raw), "%ip route 0.0.0.0%"), 90,
    like(lower(_raw), "%access-group removed%"), 85,
    like(lower(_raw), "%clear access-list%"), 80,
    like(lower(_raw), "%policy deleted%"), 80,
    like(lower(_raw), "%rule removed%"), 75,
    1=1, 40
)
| where risk_score >= 75
| eval change_summary=coalesce(change_keyword, "unknown")
| stats count as change_count, max(risk_score) as max_risk, values(change_summary) as change_types, first(_raw) as sample_log, list(_time) as change_times by host, src_ip, user
| eval time_span_seconds=mvindex(change_times, -1) - mvindex(change_times, 0)
| where max_risk >= 75
| sort - max_risk
| table host, src_ip, user, change_types, max_risk, change_count, time_span_seconds, sample_log
high severity medium confidence

Detects suspicious network boundary manipulation events sourced from syslog of network devices including Cisco IOS/ASA, Juniper JunOS, and Palo Alto firewalls. Looks for ACL modifications, permit-any rules, NAT bypasses, and static route additions using risk scoring. Aggregates multiple changes per source host/IP to surface adversaries making rapid sequential configuration changes.

Data Sources

Syslog from network devicesCisco IOS/ASA syslogPalo Alto syslogJuniper JunOS syslog

Required Sourcetypes

syslogcisco:ioscisco:asapan:logjuniper:junos

False Positives & Tuning

  • Network operations center (NOC) engineers applying approved firewall rule changes during maintenance windows
  • Automated configuration management tools (Ansible, Puppet, Chef) applying network policy changes as part of IaC workflows
  • Firewall audits and compliance scans that trigger read/change events in network device logs
  • Disaster recovery failover events that automatically reconfigure routing to alternate paths
Download portable Sigma rule (.yml)

Other platforms for T1599

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add iptables rule to permit forwarding between network segments on Linux firewall

    Expected signal: Syslog events showing iptables rule addition, kernel sysctl change in /proc/sys/net/ipv4/ip_forward, auditd records if audit rules on iptables binary, and Linux auth logs showing sudo elevation.

  2. Test 2Add static route to bridge isolated network segment on Linux router

    Expected signal: Auditd records of 'ip route' command execution, kernel routing table modification in /proc/net/route, syslog if routing daemon is logging, and file modification event on /etc/network/routes.

  3. Test 3Flush iptables security rules to allow all inter-segment traffic

    Expected signal: Syslog or auditd records capturing: (1) iptables -F FORWARD command execution with sudo, (2) iptables -P FORWARD ACCEPT policy change, (3) sysctl net.ipv4.ip_forward=1. If network device sends SNMP traps, a linkDown/warmStart trap may fire.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1599 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (1)

Related Techniques

T1599.001Network Address Translation TraversalT1090.003Multi-hop ProxyT1020.001Traffic DuplicationT1090.001Internal ProxyT1021.001Remote Desktop ProtocolT1556.003Pluggable Authentication ModulesT1110Brute Force

Same Tactic: Defense Evasion

Popular Detections