title: Network Boundary Bridging (T1599)
id: df00tech-t1599
status: experimental
description: "This detection identifies adversary activity consistent with MITRE ATT&CK T1599 (Network Boundary Bridging), where threat actors compromise perimeter network devices — routers, firewalls, or internal segmentation appliances — and reconfigure them to allow prohibited traffic to cross trust boundaries. Detection focuses on unauthorized ACL modifications, NAT rule changes, routing table manipulation, and firewall policy changes sourced from network device syslog and configuration audit trails ingested into SIEM. Because this technique targets network infrastructure rather than endpoints, primary telemetry comes from CommonSecurityLog (CEF-formatted device logs), Syslog, and network device AAA/TACACS+ audit streams. High-severity modifications include permit-any rules, deletion of blocking ACLs, addition of bypass NAT entries, and introduction of static routes to previously isolated segments."
references:
  - https://attack.mitre.org/techniques/T1599/
  - https://df00tech.com/detections/T1599
author: df00tech
date: 2026/03/20
tags:
  - attack.t1599
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
  - "Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates"
  - Security operations performing penetration test or red team exercises with pre-authorized network changes
  - Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs
level: high