ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
Sigma rule (View on GitHub)
1title: ISATAP Router Address Was Set
2id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
3status: experimental
4description: |
5 Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
6 In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
7 This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
8references:
9 - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
10 - https://redfoxsec.com/blog/ipv6-dns-takeover/
11 - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
12 - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
13author: hamid
14date: 2025-10-19
15tags:
16 - attack.impact
17 - attack.credential-access
18 - attack.collection
19 - attack.initial-access
20 - attack.privilege-escalation
21 - attack.execution
22 - attack.t1557
23 - attack.t1565.002
24logsource:
25 product: windows
26 service: system
27detection:
28 selection:
29 EventID: 4100
30 Provider_Name: 'Microsoft-Windows-Iphlpsvc'
31 filter_main_localhost:
32 IsatapRouter:
33 - '127.0.0.1'
34 - '::1'
35 filter_optional_null:
36 IsatapRouter: null
37 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
38falsepositives:
39 - Legitimate ISATAP router configuration in enterprise environments
40 - IPv6 transition projects and network infrastructure changes
41 - Network administrators configuring dual-stack networking
42 - Automatic ISATAP configuration in some Windows deployments
43level: medium
References
-
Dale Hobbs // As the world becomes increasingly connected through the internet, cyber attacks have become more sophisticated and prevalent. One type of attack that you may not have heard […]
Read More -
Even though the usage of IPv6 is gaining traction, it is rare to find an organization using it in its network.
Read More -
Related rules
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5
- Cisco Modify Configuration