Microsoft-Windows-Iphlpsvc
18 events across 2 channels
Event ID 4000 — Teredo server has successfully started.
Description
Teredo server has successfully started.
Message #
Event ID 4001 — Teredo server has failed to start with the following error: ErrorCode.
Event ID 4002 — Teredo server primary or secondary IPv4 address is invalid.
Event ID 4003 — Configured Teredo server name ServerName is invalid.
Event ID 4004 — Teredo server initialization has failed with the following error code ErrorCode.
Event ID 4005 — Teredo server has stopped.
Description
Teredo server has stopped.
Message #
Event ID 4100 — ISATAP router address IsatapRouter was set with status ErrorCode.
Description
ISATAP router address IsatapRouter was set with status ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
IsatapRouter UnicodeString | — |
ErrorCode UInt32 | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- ISATAP Router Address Was Set source medium: Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
Event ID 4200 — ProtocolType interface Interface with address Address has been brought up.
Event ID 4201 — ProtocolType interface Interface is no longer active.
Event ID 4202 — Unable to update the IP address on Error_Code interface ProtocolType.
Event ID 4300 — IP-HTTPS server has successfully started using the server URL ServerUrl.
Event ID 4301 — IP-HTTPS server has stopped.
Description
IP-HTTPS server has stopped.
Message #
Event ID 4302 — IP-HTTPS server has failed to start with the following error: ErrorCode.
Event ID 4303 — IP-HTTPS client ClientMachineName (TunnelSourceIP) is associated with IP address RemoteIP.
Event ID 4304 — IP-HTTPS client ClientMachineName (TunnelSourceIP) is disassociated from IP address RemoteIP.
Event ID 4400 — DNS64: No matching IPv6 prefix found for IPv4 address Translated IPv4 Address, received for name QuestionName queried by client ClientIP.
Description
DNS64: No matching IPv6 prefix found for IPv4 address Translated IPv4 Address, received for name QuestionName queried by client ClientIP.
Message #
Fields #
| Name | Description |
|---|---|
AddrLength UInt32 | — |
ClientIP Binary | — |
QuestionName UnicodeString | — |
Translated IPv4 Address UInt32 | — |
TranslatedIPv4Address UInt32 | — |