T1599.001 Network Address Translation Traversal Mappings

Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)

When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.

Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1599.001 Network Address Translation Traversal
AC-3 Access Enforcement Protects T1599.001 Network Address Translation Traversal
AC-4 Information Flow Enforcement Protects T1599.001 Network Address Translation Traversal
AC-5 Separation of Duties Protects T1599.001 Network Address Translation Traversal
AC-6 Least Privilege Protects T1599.001 Network Address Translation Traversal
CA-7 Continuous Monitoring Protects T1599.001 Network Address Translation Traversal
CM-2 Baseline Configuration Protects T1599.001 Network Address Translation Traversal
CM-5 Access Restrictions for Change Protects T1599.001 Network Address Translation Traversal
CM-6 Configuration Settings Protects T1599.001 Network Address Translation Traversal
CM-7 Least Functionality Protects T1599.001 Network Address Translation Traversal
IA-2 Identification and Authentication (organizational Users) Protects T1599.001 Network Address Translation Traversal
IA-5 Authenticator Management Protects T1599.001 Network Address Translation Traversal
SC-28 Protection of Information at Rest Protects T1599.001 Network Address Translation Traversal
SC-7 Boundary Protection Protects T1599.001 Network Address Translation Traversal
SI-10 Information Input Validation Protects T1599.001 Network Address Translation Traversal
SI-15 Information Output Filtering Protects T1599.001 Network Address Translation Traversal
SI-4 System Monitoring Protects T1599.001 Network Address Translation Traversal
SI-7 Software, Firmware, and Information Integrity Protects T1599.001 Network Address Translation Traversal
action.hacking.variety.Unknown Unknown related-to T1599.001 Network Boundry Bridging: Network Address Translation Traversal