ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
Sigma rule (View on GitHub)
1title: ISATAP Router Address Was Set
2id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
3status: experimental
4description: |
5 Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
6 In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
7 This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
8references:
9 - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
10 - https://redfoxsec.com/blog/ipv6-dns-takeover/
11 - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
12 - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
13author: hamid
14date: 2025-10-19
15tags:
16 - attack.initial-access
17 - attack.privilege-escalation
18 - attack.execution
19 - attack.t1557
20 - attack.t1565.002
21logsource:
22 product: windows
23 service: system
24detection:
25 selection:
26 EventID: 4100
27 Provider_Name: 'Microsoft-Windows-Iphlpsvc'
28 filter_main_localhost:
29 IsatapRouter:
30 - '127.0.0.1'
31 - '::1'
32 filter_optional_null:
33 IsatapRouter: null
34 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
35falsepositives:
36 - Legitimate ISATAP router configuration in enterprise environments
37 - IPv6 transition projects and network infrastructure changes
38 - Network administrators configuring dual-stack networking
39 - Automatic ISATAP configuration in some Windows deployments
40level: medium
References
-
Dale Hobbs // As the world becomes increasingly connected through the internet, cyber attacks have become more sophisticated and prevalent. One type of attack that you may not have heard […]
Read More -
Even though the usage of IPv6 is gaining traction, it is rare to find an organization using it in its network.
Read More -
Related rules
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5
- OMIGOD HTTP No Authentication RCE