International. The ISATAP protocol is originally designed for communication within the network. SecurityHQ's Digital Forensic and Incident Response (DFIR) team found that it is being exploited by cyber actors to breach the security of Windows Server.
The researchers discovered that an external actor had performed a malicious configuration from an internal IPv6 network, directly to a "command and control" IP, establishing a network bridge between the internal network and the attacker's network.
This unauthorized connection bypassed existing network security measures, allowing the attacker to gain control of the network without triggering detection by any security control.
While this tactic is not currently associated with any specific cyberattack or APT group, it poses a potential threat that can be exploited in the future.
Malicious Tunnel Detection
- Monitor communication to suspicious IPs and ports within your network.
- Check Windows System Event IDs 4100 (ISATAP Address Settings) and 4200 (ISATAP Tunnel Enabled) in the Event Viewer logs.
- Review the changes made to the 'IPEnableRouter' registry settings on Windows servers, as unexpected modifications may indicate malicious activity.
- Examine the DNS server logs of the network for events related to the activation or configuration of the 'ISATAP' protocol.
Mitigation Steps
- Check if there are any active ISATAP tunnels, use the command or PowerShell: netsh interface ipv6 isatap show state
- To disable the tunnel, use the following command: netsh interface ipv6 isatap set state disabled
If you are not actively using the ISATAP protocol, it is pertinent to consider disabling it on all Windows servers by applying a Group Policy Object (GPO).
In case of detecting an active ISATAP tunnel or any suspicious activity, it is necessary to immediately contact your incident response team to investigate the initial vector and take the necessary actions to contain the potential ongoing attack.
