IPV6 DNS Takeover Attack via Rogue DHCP Server#5242
Merged
Merged
Conversation
github-actions
Bot
added
Rules
Windows
NinnessOtu
changed the title
frack113
reviewed
Mar 24, 2025
…stem_possible_ipv6_dns_takeover.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
frack113
approved these changes
Apr 1, 2025
Member
frack113
left a comment
frack113
left a comment
There was a problem hiding this comment.
LGTM
I think the rule can be high as the legit use should be rare enough.
swachchhanda000
requested changes
Sep 5, 2025
swachchhanda000
added
Work In Progress
Collaborator
|
Sorry for the late review. Let us know if you have anything to say about the review. |
…stem_possible_ipv6_dns_takeover.yml Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
…stem_possible_ipv6_dns_takeover.yml Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Contributor
Author
|
Looks great, thanks! |
…stem_possible_ipv6_dns_takeover.yml Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Contributor
Author
|
Done. |
swachchhanda000
force-pushed
the
master
branch
from
a6254cb to
b9a91bb
Compare
nasbench
added
Ready to Merge
and removed
Work In Progress
nasbench
approved these changes
Oct 19, 2025
swachchhanda000
approved these changes
Oct 20, 2025
swachchhanda000
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new detection rule for identifying potential IPv6 DNS takeover attacks via rogue DHCP servers. The rule monitors ISATAP router address configuration events (Event ID 4100) which can indicate adversaries using tools like mitm6 to intercept traffic by advertising themselves as DHCPv6 servers.
Key Changes:
- New YAML rule file for detecting ISATAP router address configuration events
- Filters to exclude legitimate localhost configurations (127.0.0.1 and ::1)
- Classification as medium-level threat with MITRE ATT&CK technique mappings
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
swachchhanda000
added a commit
to montysecurity/sigma
that referenced
this pull request
Nov 19, 2025
new: ISATAP Router Address Was Set --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This rule detects a possible IPv6 DNS takeover using ISATAP configuration events (Event ID 4100).
Below is a screenshot showing evidence of the logs and the attack.
You can find the full details in my write-up on Medium:
https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f