From 678b8c8fea3941573285ea09ded6854ed8fcb62d Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 13:57:11 +0000 Subject: [PATCH 01/13] Create Possible_IPV6_DNS_Takeover.yml --- .../Possible_IPV6_DNS_Takeover.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml new file mode 100644 index 00000000000..4d3989d9d7d --- /dev/null +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml @@ -0,0 +1,29 @@ +title: Possible IPV6 DNS Takeover +id: d476d1-53a18e-cb907e-d12a01e9b523 +status: test +description: New ISATAP router was set successfully +references: + - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/ + - https://redfoxsec.com/blog/ipv6-dns-takeover/ + - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/ +author: hamid +date: 2024-04-02 +tags: + - attack.initial_access + - attack.privilege_escalation + - attack.execution + - attack.t1557 + - attack.t1565.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 4100 + Provider_Name: 'Microsoft-Windows-Iphlpsvc' + filter: + IsatapRouter|contains: '127.0.0.1' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 50343153fc6851c1a7c9865fc502ebd0bc6c3c75 Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 14:08:09 +0000 Subject: [PATCH 02/13] Update Possible_IPV6_DNS_Takeover.yml --- .../microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml index 4d3989d9d7d..33e9bd0e9df 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml @@ -1,5 +1,5 @@ title: Possible IPV6 DNS Takeover -id: d476d1-53a18e-cb907e-d12a01e9b523 +id: 078d7118-55c-4912-a836-cc6483a8d152 status: test description: New ISATAP router was set successfully references: From 07c79ab3a08338bb733f9868fa702b9a985f8fbf Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 14:11:25 +0000 Subject: [PATCH 03/13] Update Possible_IPV6_DNS_Takeover.yml --- .../microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml index 33e9bd0e9df..fa844851ffe 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml @@ -1,5 +1,5 @@ title: Possible IPV6 DNS Takeover -id: 078d7118-55c-4912-a836-cc6483a8d152 +id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c status: test description: New ISATAP router was set successfully references: From 981a845954205bcf86400faae89a6257caa5ef87 Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 14:16:46 +0000 Subject: [PATCH 04/13] Update and rename Possible_IPV6_DNS_Takeover.yml to win_system_possible_ipv6_dns_takeover.yml --- ...Takeover.yml => win_system_possible_ipv6_dns_takeover.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/builtin/system/microsoft_windows_IphIpsvc/{Possible_IPV6_DNS_Takeover.yml => win_system_possible_ipv6_dns_takeover.yml} (92%) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml similarity index 92% rename from rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml rename to rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml index fa844851ffe..092475bd1ef 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml @@ -9,8 +9,8 @@ references: author: hamid date: 2024-04-02 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.execution - attack.t1557 - attack.t1565.002 From a6f05c03b54ddd093fa6a21b7b136f57a49c6bee Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Mon, 24 Mar 2025 09:54:33 +0000 Subject: [PATCH 05/13] Update rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../win_system_possible_ipv6_dns_takeover.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml index 092475bd1ef..d572b9089ea 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml @@ -1,6 +1,6 @@ title: Possible IPV6 DNS Takeover id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c -status: test +status: experimental description: New ISATAP router was set successfully references: - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/ From 3a3c7ed0c9069fb34b1716af8803f8f43fc6f10d Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Fri, 5 Sep 2025 12:02:23 +0100 Subject: [PATCH 06/13] Update rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> --- .../win_system_possible_ipv6_dns_takeover.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml index d572b9089ea..b747ca7801a 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml @@ -1,4 +1,4 @@ -title: Possible IPV6 DNS Takeover +title: Potential IPV6 DNS Takeover Attack via Rogue DHCP Server id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c status: experimental description: New ISATAP router was set successfully From 10f88a193d57d149002d584cff630e76649b7036 Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Fri, 5 Sep 2025 12:02:35 +0100 Subject: [PATCH 07/13] Update rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> --- .../win_system_possible_ipv6_dns_takeover.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml index b747ca7801a..7e5341b88fc 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml @@ -1,7 +1,10 @@ title: Potential IPV6 DNS Takeover Attack via Rogue DHCP Server id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c status: experimental -description: New ISATAP router was set successfully +description: | + Detects the configuration of a new ISATAP router on a Windows host, which could be an indicator of a potential IPv6 DNS Takeover attack using tools like mitm6. + In this attack, the adversary's machine advertises itself as a DHCPv6 server and sets itself as the ISATAP router + and primary DNS server for IPv6 traffic, enabling man-in-the-middle attacks to intercept credentials. references: - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/ - https://redfoxsec.com/blog/ipv6-dns-takeover/ From b8755ecd38d4515b9b141ddfda4c4be57a495f6a Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Mon, 8 Sep 2025 18:22:29 +0100 Subject: [PATCH 08/13] Update rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> --- .../win_system_possible_ipv6_dns_takeover.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml index 7e5341b88fc..ec73842e87a 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml @@ -24,9 +24,13 @@ detection: selection: EventID: 4100 Provider_Name: 'Microsoft-Windows-Iphlpsvc' - filter: - IsatapRouter|contains: '127.0.0.1' - condition: selection and not filter + filter_main_localhost: + IsatapRouter: + - '127.0.0.1' + - '::1' + filter_optional_null: + IsatapRouter: null + condition: selection and not 1 of filter_main_* and not 1 of optional_main_* falsepositives: - Unknown level: high From 31b7e8c9082149013f6ee6f3668e947e7b901bda Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 19 Oct 2025 11:42:13 +0200 Subject: [PATCH 09/13] rename and metadata update --- ...er.yml => win_system_isatap_router_address_set.yml} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename rules/windows/builtin/system/microsoft_windows_IphIpsvc/{win_system_possible_ipv6_dns_takeover.yml => win_system_isatap_router_address_set.yml} (77%) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml similarity index 77% rename from rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml rename to rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml index ec73842e87a..5527e05909e 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml @@ -1,16 +1,16 @@ -title: Potential IPV6 DNS Takeover Attack via Rogue DHCP Server +title: ISATAP Router Address Was Set id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c status: experimental description: | Detects the configuration of a new ISATAP router on a Windows host, which could be an indicator of a potential IPv6 DNS Takeover attack using tools like mitm6. - In this attack, the adversary's machine advertises itself as a DHCPv6 server and sets itself as the ISATAP router - and primary DNS server for IPv6 traffic, enabling man-in-the-middle attacks to intercept credentials. + In this attack, the adversary's machine advertises itself as a DHCPv6 server and sets itself as the ISATAP router and primary DNS server for IPv6 traffic, enabling man-in-the-middle attacks to intercept credentials. references: - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/ - https://redfoxsec.com/blog/ipv6-dns-takeover/ - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/ + - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f author: hamid -date: 2024-04-02 +date: 2025-10-19 tags: - attack.initial-access - attack.privilege-escalation @@ -25,7 +25,7 @@ detection: EventID: 4100 Provider_Name: 'Microsoft-Windows-Iphlpsvc' filter_main_localhost: - IsatapRouter: + IsatapRouter: - '127.0.0.1' - '::1' filter_optional_null: From 53ade35a73afe34048f159595a9acbc8a85239b4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 19 Oct 2025 11:43:33 +0200 Subject: [PATCH 10/13] Update win_system_isatap_router_address_set.yml --- .../win_system_isatap_router_address_set.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml index 5527e05909e..5cb085b39c9 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml @@ -30,7 +30,7 @@ detection: - '::1' filter_optional_null: IsatapRouter: null - condition: selection and not 1 of filter_main_* and not 1 of optional_main_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high From 19166e97b1607bea89e7c313feb7147de507db67 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 19 Oct 2025 11:44:36 +0200 Subject: [PATCH 11/13] Update win_system_isatap_router_address_set.yml --- .../win_system_isatap_router_address_set.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml index 5cb085b39c9..fde8d8d603e 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml @@ -33,4 +33,4 @@ detection: condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown -level: high +level: medium From 0011277e01bfe54935636085f7647fea261bb48a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 19 Oct 2025 11:48:39 +0200 Subject: [PATCH 12/13] Update win_system_isatap_router_address_set.yml --- .../win_system_isatap_router_address_set.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml index fde8d8d603e..774d74d4486 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml @@ -2,8 +2,9 @@ title: ISATAP Router Address Was Set id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c status: experimental description: | - Detects the configuration of a new ISATAP router on a Windows host, which could be an indicator of a potential IPv6 DNS Takeover attack using tools like mitm6. - In this attack, the adversary's machine advertises itself as a DHCPv6 server and sets itself as the ISATAP router and primary DNS server for IPv6 traffic, enabling man-in-the-middle attacks to intercept credentials. + Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. + In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. + This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment. references: - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/ - https://redfoxsec.com/blog/ipv6-dns-takeover/ @@ -32,5 +33,8 @@ detection: IsatapRouter: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Unknown + - Legitimate ISATAP router configuration in enterprise environments + - IPv6 transition projects and network infrastructure changes + - Network administrators configuring dual-stack networking + - Automatic ISATAP configuration in some Windows deployments level: medium From c21cd54f289a31832962e25bcec6f80b12a8e2a5 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Tue, 21 Oct 2025 14:02:39 +0545 Subject: [PATCH 13/13] fix: wrong file directoryname --- .../win_system_isatap_router_address_set.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/system/{microsoft_windows_IphIpsvc => microsoft_windows_Iphlpsvc}/win_system_isatap_router_address_set.yml (100%) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml b/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml similarity index 100% rename from rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_isatap_router_address_set.yml rename to rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml