Tag
A detection rule identifies suspicious outbound IPSEC NAT Traversal (NAT-T) tunnels, characterized by UDP traffic where both source and destination ports are 4500, originating from an internal host to an external destination, a technique frequently abused by threat actors to establish covert command and control channels or exfiltrate data while evading network defenses.