title: Network Address Translation Traversal (T1599.001)
id: df00tech-t1599-001
status: experimental
description: "Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device rewrites source and/or destination addresses of the IP address header. An adversary who gains control of a network boundary device may modify NAT configurations to send traffic between two separated networks or to obscure their activities by changing the addresses of packets traversing the border device, making traffic monitoring more challenging for defenders. Adversaries may combine this technique with Patch System Image (T1601.001) to implement persistent custom NAT mechanisms within compromised device firmware."
references:
  - https://attack.mitre.org/techniques/T1599/001/
  - https://df00tech.com/detections/T1599.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1599.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized network engineers making planned NAT changes during approved change management windows — correlate against change tickets before escalating
  - "Automated configuration management tools (Ansible, Terraform, Cisco DNA Center, NetBox) applying approved network configurations on a scheduled basis"
  - Cloud infrastructure automation scripts creating or modifying Azure NAT Gateways as part of normal CI/CD deployment pipelines
  - Network device reboots restoring previously configured NAT rules that trigger repeated SYS-5-CONFIG_I log events from startup config application
  - Managed service providers or ISP technicians making authorized routing or NAT adjustments under a support contract — verify against vendor change notifications
level: high