ISATAP Router Address Was Set

Rule Info

Name
ISATAP Router Address Was Set
Author
hamid
Description
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
Reference
https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
Date
2025-10-19 00:00:00
Modified
None
Id
d22df9cd-2aee-4089-93c7-9dc4eae77f2c
Tags
attack.impact attack.credential-access attack.collection attack.initial-access attack.privilege-escalation attack.execution attack.t1557 attack.t1565.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d22df9cd-2aee-4089-93c7-9dc4eae77f2c

Rule History

Author
Title
Date
Commit
phantinuss
chore: ci: bump validator version (#5722)
2025-10-23
c8075cab6
NinnessOtu
Merge PR #5242 from @NinnessOtu - ISATAP Router Address Was Set
2025-10-21
47fe9ca81
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022