Detection rules › Sigma
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1557 Adversary-in-the-Middle |
| Collection | T1557 Adversary-in-the-Middle |
| Impact | T1565.002 Data Manipulation: Transmitted Data Manipulation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Iphlpsvc | 4100 | ISATAP router address IsatapRouter was set with status ErrorCode. |
Stages and Predicates
Stage 1: selection
Provider_Name: Microsoft-Windows-Iphlpsvc
Stage 2: not 1 of filter_main_localhost
IsatapRouter: [127.0.0.1, '::1']
Stage 3: not 1 of filter_optional_null
IsatapRouter: null
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
IsatapRouter | eq |
|
Provider_Name | eq |
|