automatic isatap configuration in some windows deployments

t1557
t1565
t1565.002
windows
sigma

Techniques

t1557
t1565
t1565.002

Sample rules

ISATAP Router Address Was Set

source: sigma
technicques:
- t1557
- t1565
- t1565.002

Description

Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_localhost:
  IsatapRouter:
  - 127.0.0.1
  - ::1
filter_optional_null:
  IsatapRouter: null
selection:
  EventID: 4100
  Provider_Name: Microsoft-Windows-Iphlpsvc