IPSEC NAT Traversal Port Activity
This rule detects outbound IPSEC NAT Traversal (NAT-T) tunnels established from an internal host to an external destination. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal encapsulates IPSEC ESP traffic in UDP and, once a NAT device is detected, both peers float to UDP port 4500 for the tunnel data channel. The rule keys on this NAT-T signature, UDP traffic where both the source and destination port are 4500, from an internal source to an external destination, rather than on any UDP traffic to port 4500. This may be common on your network, but this technique is also used by threat actors to tunnel command and control or exfiltration traffic over the Internet to avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic", "panw", "pfsense", "zeek"]
4maturity = "production"
5updated_date = "2026/06/24"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects outbound IPSEC NAT Traversal (NAT-T) tunnels established from an internal host to an external
11destination. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal
12encapsulates IPSEC ESP traffic in UDP and, once a NAT device is detected, both peers float to UDP port 4500 for the
13tunnel data channel. The rule keys on this NAT-T signature, UDP traffic where both the source and destination port are
144500, from an internal source to an external destination, rather than on any UDP traffic to port 4500. This may be
15common on your network, but this technique is also used by threat actors to tunnel command and control or exfiltration
16traffic over the Internet to avoid detection.
17"""
18false_positives = [
19 """
20 Legitimate site-to-site or client VPNs that use IPSEC NAT Traversal will establish outbound tunnels on UDP port
21 4500. Where these tunnels are expected, the internal source hosts or external VPN gateway IP addresses can be
22 excluded. Requiring both the source and destination port to be 4500 already removes alerts caused by an external
23 server coincidentally replying to an ephemeral UDP source port of 4500.
24 """,
25]
26from = "now-9m"
27index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*", "logs-pfsense.log-*", "logs-zeek.*"]
28language = "kuery"
29license = "Elastic License v2"
30name = "IPSEC NAT Traversal Port Activity"
31risk_score = 21
32rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
33severity = "low"
34tags = [
35 "Tactic: Command and Control",
36 "Domain: Endpoint",
37 "Use Case: Threat Detection",
38 "Data Source: PAN-OS",
39 "Data Source: Network Traffic",
40 "Data Source: pfSense",
41 "Data Source: Zeek",
42 "Resources: Investigation Guide",
43]
44timestamp_override = "event.ingested"
45type = "query"
46
47query = '''
48(data_stream.dataset: (network_traffic.flow or zeek.connection) or (event.category: (network or network_traffic))) and
49 network.transport:udp and source.port:4500 and destination.port:4500 and
50 source.ip:(
51 10.0.0.0/8 or
52 172.16.0.0/12 or
53 192.168.0.0/16
54 ) and
55 not destination.ip:(
56 10.0.0.0/8 or
57 127.0.0.0/8 or
58 169.254.0.0/16 or
59 172.16.0.0/12 or
60 192.0.0.0/24 or
61 192.0.0.0/29 or
62 192.0.0.8/32 or
63 192.0.0.9/32 or
64 192.0.0.10/32 or
65 192.0.0.170/32 or
66 192.0.0.171/32 or
67 192.0.2.0/24 or
68 192.31.196.0/24 or
69 192.52.193.0/24 or
70 192.168.0.0/16 or
71 192.88.99.0/24 or
72 224.0.0.0/4 or
73 100.64.0.0/10 or
74 192.175.48.0/24 or
75 198.18.0.0/15 or
76 198.51.100.0/24 or
77 203.0.113.0/24 or
78 240.0.0.0/4 or
79 "::1" or
80 "FE80::/10" or
81 "FF00::/8"
82 )
83'''
84note = """## Triage and analysis
85
86> **Disclaimer**:
87> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
88
89### Investigating IPSEC NAT Traversal Port Activity
90
91IPSEC NAT Traversal facilitates secure VPN communication across NAT devices by encapsulating IPSEC packets in UDP, typically using port 4500. While essential for legitimate encrypted traffic, adversaries exploit this to mask malicious activities, bypassing network defenses. The detection rule identifies outbound NAT-T tunnels, UDP traffic where both the source and destination port are 4500, originating from an internal host to an external destination, flagging potential misuse for further investigation.
92
93### Possible investigation steps
94
95- Review the source and destination IP addresses associated with the UDP traffic on port 4500 to determine if they are known or expected within your network environment.
96- Analyze the volume and frequency of the detected traffic to assess whether it aligns with typical IPSEC NAT Traversal usage or if it appears anomalous.
97- Check for any associated network traffic events in the same timeframe that might indicate a pattern of suspicious activity, such as unusual data transfer volumes or connections to known malicious IP addresses.
98- Investigate the endpoint or device generating the traffic to verify if it is authorized to use IPSEC NAT Traversal and if it has any history of security incidents or vulnerabilities.
99- Correlate the detected activity with any recent changes in network configurations or security policies that might explain the traffic pattern.
100- Consult threat intelligence sources to determine if the destination IP address or domain has been associated with known threat actors or command and control infrastructure.
101
102### False positive analysis
103
104- Legitimate VPN traffic using IPSEC NAT Traversal can trigger alerts. Regularly review and whitelist known IP addresses or subnets associated with authorized VPN connections to reduce false positives.
105- Network devices or services that rely on IPSEC for secure communication may generate expected traffic on port 4500. Identify and document these devices, then create exceptions in the detection rule to prevent unnecessary alerts.
106- Automated backup or synchronization services that use IPSEC for secure data transfer might be flagged. Monitor these services and exclude their traffic patterns if they are verified as non-threatening.
107- Some enterprise applications may use IPSEC NAT Traversal for secure communication. Conduct an inventory of such applications and adjust the rule to exclude their traffic after confirming their legitimacy.
108- Regularly update the list of known safe IP addresses and services to ensure that new legitimate sources of IPSEC NAT Traversal traffic are promptly excluded from triggering alerts.
109
110### Response and remediation
111
112- Immediately isolate the affected system from the network to prevent further potential malicious activity and lateral movement.
113- Conduct a thorough analysis of the isolated system to identify any signs of compromise, such as unauthorized access or data exfiltration, focusing on logs and network traffic related to UDP port 4500.
114- Block all suspicious IP addresses associated with the detected traffic on port 4500 at the network perimeter to prevent further communication with potential threat actors.
115- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to ensure they effectively block unauthorized IPSEC NAT Traversal traffic, particularly on UDP port 4500.
116- Restore the affected system from a known good backup if any signs of compromise are confirmed, ensuring that all security patches and updates are applied before reconnecting to the network.
117- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
118- Implement enhanced monitoring and logging for UDP traffic on port 4500 to detect and respond to any future suspicious activity promptly."""
119
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1095"
125name = "Non-Application Layer Protocol"
126reference = "https://attack.mitre.org/techniques/T1095/"
127
128[[rule.threat.technique]]
129id = "T1572"
130name = "Protocol Tunneling"
131reference = "https://attack.mitre.org/techniques/T1572/"
132
133[[rule.threat.technique]]
134id = "T1573"
135name = "Encrypted Channel"
136reference = "https://attack.mitre.org/techniques/T1573/"
137
138
139[rule.threat.tactic]
140id = "TA0011"
141name = "Command and Control"
142reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating IPSEC NAT Traversal Port Activity
IPSEC NAT Traversal facilitates secure VPN communication across NAT devices by encapsulating IPSEC packets in UDP, typically using port 4500. While essential for legitimate encrypted traffic, adversaries exploit this to mask malicious activities, bypassing network defenses. The detection rule identifies outbound NAT-T tunnels, UDP traffic where both the source and destination port are 4500, originating from an internal host to an external destination, flagging potential misuse for further investigation.
Possible investigation steps
- Review the source and destination IP addresses associated with the UDP traffic on port 4500 to determine if they are known or expected within your network environment.
- Analyze the volume and frequency of the detected traffic to assess whether it aligns with typical IPSEC NAT Traversal usage or if it appears anomalous.
- Check for any associated network traffic events in the same timeframe that might indicate a pattern of suspicious activity, such as unusual data transfer volumes or connections to known malicious IP addresses.
- Investigate the endpoint or device generating the traffic to verify if it is authorized to use IPSEC NAT Traversal and if it has any history of security incidents or vulnerabilities.
- Correlate the detected activity with any recent changes in network configurations or security policies that might explain the traffic pattern.
- Consult threat intelligence sources to determine if the destination IP address or domain has been associated with known threat actors or command and control infrastructure.
False positive analysis
- Legitimate VPN traffic using IPSEC NAT Traversal can trigger alerts. Regularly review and whitelist known IP addresses or subnets associated with authorized VPN connections to reduce false positives.
- Network devices or services that rely on IPSEC for secure communication may generate expected traffic on port 4500. Identify and document these devices, then create exceptions in the detection rule to prevent unnecessary alerts.
- Automated backup or synchronization services that use IPSEC for secure data transfer might be flagged. Monitor these services and exclude their traffic patterns if they are verified as non-threatening.
- Some enterprise applications may use IPSEC NAT Traversal for secure communication. Conduct an inventory of such applications and adjust the rule to exclude their traffic after confirming their legitimacy.
- Regularly update the list of known safe IP addresses and services to ensure that new legitimate sources of IPSEC NAT Traversal traffic are promptly excluded from triggering alerts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further potential malicious activity and lateral movement.
- Conduct a thorough analysis of the isolated system to identify any signs of compromise, such as unauthorized access or data exfiltration, focusing on logs and network traffic related to UDP port 4500.
- Block all suspicious IP addresses associated with the detected traffic on port 4500 at the network perimeter to prevent further communication with potential threat actors.
- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to ensure they effectively block unauthorized IPSEC NAT Traversal traffic, particularly on UDP port 4500.
- Restore the affected system from a known good backup if any signs of compromise are confirmed, ensuring that all security patches and updates are applied before reconnecting to the network.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for UDP traffic on port 4500 to detect and respond to any future suspicious activity promptly.
Related rules
- SMTP to the Internet on Port 26/TCP
- RDP (Remote Desktop Protocol) from the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- SMB (Windows File Sharing) Activity to the Internet