From 678b8c8fea3941573285ea09ded6854ed8fcb62d Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 13:57:11 +0000 Subject: [PATCH 1/5] Create Possible_IPV6_DNS_Takeover.yml --- .../Possible_IPV6_DNS_Takeover.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml new file mode 100644 index 00000000000..4d3989d9d7d --- /dev/null +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml @@ -0,0 +1,29 @@ +title: Possible IPV6 DNS Takeover +id: d476d1-53a18e-cb907e-d12a01e9b523 +status: test +description: New ISATAP router was set successfully +references: + - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/ + - https://redfoxsec.com/blog/ipv6-dns-takeover/ + - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/ +author: hamid +date: 2024-04-02 +tags: + - attack.initial_access + - attack.privilege_escalation + - attack.execution + - attack.t1557 + - attack.t1565.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 4100 + Provider_Name: 'Microsoft-Windows-Iphlpsvc' + filter: + IsatapRouter|contains: '127.0.0.1' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 50343153fc6851c1a7c9865fc502ebd0bc6c3c75 Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 14:08:09 +0000 Subject: [PATCH 2/5] Update Possible_IPV6_DNS_Takeover.yml --- .../microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml index 4d3989d9d7d..33e9bd0e9df 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml @@ -1,5 +1,5 @@ title: Possible IPV6 DNS Takeover -id: d476d1-53a18e-cb907e-d12a01e9b523 +id: 078d7118-55c-4912-a836-cc6483a8d152 status: test description: New ISATAP router was set successfully references: From 07c79ab3a08338bb733f9868fa702b9a985f8fbf Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 14:11:25 +0000 Subject: [PATCH 3/5] Update Possible_IPV6_DNS_Takeover.yml --- .../microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml index 33e9bd0e9df..fa844851ffe 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml @@ -1,5 +1,5 @@ title: Possible IPV6 DNS Takeover -id: 078d7118-55c-4912-a836-cc6483a8d152 +id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c status: test description: New ISATAP router was set successfully references: From 981a845954205bcf86400faae89a6257caa5ef87 Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Sat, 22 Mar 2025 14:16:46 +0000 Subject: [PATCH 4/5] Update and rename Possible_IPV6_DNS_Takeover.yml to win_system_possible_ipv6_dns_takeover.yml --- ...Takeover.yml => win_system_possible_ipv6_dns_takeover.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/builtin/system/microsoft_windows_IphIpsvc/{Possible_IPV6_DNS_Takeover.yml => win_system_possible_ipv6_dns_takeover.yml} (92%) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml similarity index 92% rename from rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml rename to rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml index fa844851ffe..092475bd1ef 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/Possible_IPV6_DNS_Takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml @@ -9,8 +9,8 @@ references: author: hamid date: 2024-04-02 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.execution - attack.t1557 - attack.t1565.002 From a6f05c03b54ddd093fa6a21b7b136f57a49c6bee Mon Sep 17 00:00:00 2001 From: NinnessOtu <154692418+NinnessOtu@users.noreply.github.com> Date: Mon, 24 Mar 2025 09:54:33 +0000 Subject: [PATCH 5/5] Update rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../win_system_possible_ipv6_dns_takeover.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml index 092475bd1ef..d572b9089ea 100644 --- a/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml +++ b/rules/windows/builtin/system/microsoft_windows_IphIpsvc/win_system_possible_ipv6_dns_takeover.yml @@ -1,6 +1,6 @@ title: Possible IPV6 DNS Takeover id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c -status: test +status: experimental description: New ISATAP router was set successfully references: - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/