From 47fe9ca81fa8fd2a094ec0bc25e728b4a7931f8e Mon Sep 17 00:00:00 2001
From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com>
Date: Tue, 21 Oct 2025 09:20:55 +0100
Subject: [PATCH] Merge PR #5242 from @NinnessOtu - ISATAP Router Address Was
 Set

new: ISATAP Router Address Was Set
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 .../win_system_isatap_router_address_set.yml  | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml

diff --git a/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml b/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml
new file mode 100644
index 000000000..774d74d44
--- /dev/null
+++ b/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml
@@ -0,0 +1,40 @@
+title: ISATAP Router Address Was Set
+id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
+status: experimental
+description: |
+    Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
+    In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
+    This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
+references:
+    - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
+    - https://redfoxsec.com/blog/ipv6-dns-takeover/
+    - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
+    - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
+author: hamid
+date: 2025-10-19
+tags:
+    - attack.initial-access
+    - attack.privilege-escalation
+    - attack.execution
+    - attack.t1557
+    - attack.t1565.002
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 4100
+        Provider_Name: 'Microsoft-Windows-Iphlpsvc'
+    filter_main_localhost:
+        IsatapRouter:
+            - '127.0.0.1'
+            - '::1'
+    filter_optional_null:
+        IsatapRouter: null
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Legitimate ISATAP router configuration in enterprise environments
+    - IPv6 transition projects and network infrastructure changes
+    - Network administrators configuring dual-stack networking
+    - Automatic ISATAP configuration in some Windows deployments
+level: medium