MITRE ATT&CK Technique
Defense Evasion T1599.001
Description

Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918) When an adversary gains control of a network boundary device, they may modify NAT configurations to send traffic between two separated networks, or to obscure their activities. In network designs that require NAT to function, such modifications enable the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In network designs that do not require NAT, adversaries may use address translation to further obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.

Supported Platforms
Network Devices
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-10-19T16:48:08.241Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may bridge network boundaries by modifying a '
                'network device’s Network Address Translation (NAT) '
                'configuration. Malicious modifications to NAT may enable an '
                'adversary to bypass restrictions on traffic routing that '
                'otherwise separate trusted and untrusted networks.\n'
                '\n'
                'Network devices such as routers and firewalls that connect '
                'multiple networks together may implement NAT during the '
                'process of passing packets between networks. When performing '
                'NAT, the network device will rewrite the source and/or '
                'destination addresses of the IP address header. Some network '
                'designs require NAT for the packets to cross the border '
                'device.  A typical example of this is environments where '
                'internal networks make use of non-Internet routable '
                'addresses.(Citation: RFC1918)\n'
                '\n'
                'When an adversary gains control of a network boundary device, '
                'they may modify NAT configurations to send traffic between '
                'two separated networks, or to obscure their activities.  In '
                'network designs that require NAT to function, such '
                'modifications enable the adversary to overcome inherent '
                'routing limitations that would normally prevent them from '
                'accessing protected systems behind the border device.  In '
                'network designs that do not require NAT, adversaries may use '
                'address translation to further obscure their activities, as '
                'changing the addresses of packets that traverse a network '
                'boundary device can make monitoring data transmissions more '
                'challenging for defenders.  \n'
                '\n'
                'Adversaries may use [Patch System '
                'Image](https://attack.mitre.org/techniques/T1601/001) to '
                'change the operating system of a network device, implementing '
                'their own custom NAT mechanisms to further obscure their '
                'activities.',
 'external_references': [{'external_id': 'T1599.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1599/001'},
                         {'description': 'IETF Network Working Group. (1996, '
                                         'February). Address Allocation for '
                                         'Private Internets. Retrieved October '
                                         '20, 2020.',
                          'source_name': 'RFC1918',
                          'url': 'https://tools.ietf.org/html/rfc1918'}],
 'id': 'attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:46.071Z',
 'name': 'Network Address Translation Traversal',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Network Devices'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About