T1557.003

DHCP Spoofing

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.

Microsoft Sentinel / Defender

kusto

let RogueDHCPTools = dynamic(["yersinia", "dhcpig", "gobbler", "dhcpstarv", "ettercap", "bettercap", "mitm6", "dhcp6"]);
let ScriptInterpreters = dynamic(["python.exe", "python3", "python", "ruby", "perl", "bash", "sh", "pwsh.exe", "powershell.exe"]);
let DHCPKeywords = dynamic(["dhcp", "rogue", "responder", "bootp", "dhcpig", "dhcpstarv", "dhcp6", "mitm6"]);
// Branch 1: Unauthorized processes binding to UDP port 67 (DHCP server port)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where LocalPort == 67 or RemotePort == 67
| where Protocol == "Udp" or isnull(Protocol)
| where InitiatingProcessFileName !in~ ("svchost.exe", "System")
| extend IsKnownTool = InitiatingProcessFileName has_any (RogueDHCPTools)
| extend IsInterpreterWithDHCP = (InitiatingProcessFileName has_any (ScriptInterpreters)
    and InitiatingProcessCommandLine has_any (DHCPKeywords))
| extend DetectionType = "DHCP_Port67_Binding"
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         ProcessName = InitiatingProcessFileName,
         CommandLine = InitiatingProcessCommandLine,
         LocalIP, RemoteIP, LocalPort, RemotePort,
         IsKnownTool, IsInterpreterWithDHCP, DetectionType
| union (
    // Branch 2: Known DHCP attack tool execution
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName has_any (RogueDHCPTools)
        or (FileName has_any (ScriptInterpreters) and ProcessCommandLine has_any (DHCPKeywords))
        or ProcessCommandLine has_any (RogueDHCPTools)
        or (ProcessCommandLine has "mitm6" or ProcessCommandLine has "dhcp6")
    | extend IsKnownTool = FileName has_any (RogueDHCPTools)
    | extend IsInterpreterWithDHCP = FileName has_any (ScriptInterpreters)
    | extend DetectionType = "DHCP_Tool_Execution"
    | project Timestamp, DeviceName, AccountName,
             ProcessName = FileName, CommandLine = ProcessCommandLine,
             LocalIP = "", RemoteIP = "", LocalPort = int(null), RemotePort = int(null),
             IsKnownTool, IsInterpreterWithDHCP, DetectionType
)
| union (
    // Branch 3: DNS configuration registry changes (DHCP-pushed malicious DNS indicator)
    DeviceRegistryEvents
    | where Timestamp > ago(24h)
    | where RegistryKey has "Tcpip\\Parameters\\Interfaces"
    | where RegistryValueName in~ ("DhcpNameServer", "NameServer", "DhcpDefaultGateway", "DhcpSubnetMaskOpt")
    | where InitiatingProcessFileName !in~ ("svchost.exe", "System", "lsass.exe")
    | extend IsKnownTool = false
    | extend IsInterpreterWithDHCP = false
    | extend DetectionType = "DHCP_DNS_Config_Change"
    | project Timestamp, DeviceName,
             AccountName = InitiatingProcessAccountName,
             ProcessName = InitiatingProcessFileName,
             CommandLine = strcat("Registry: ", RegistryKey, " => ", RegistryValueName, "=", RegistryValueData),
             LocalIP = "", RemoteIP = "", LocalPort = int(null), RemotePort = int(null),
             IsKnownTool, IsInterpreterWithDHCP, DetectionType
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents DeviceRegistryEvents

False Positives

Legitimate DHCP servers (Windows Server DHCP role, ISC DHCP) running on authorized servers — svchost.exe hosts the Windows DHCP service but other dedicated DHCP daemons may appear as unexpected processes
Network virtualization software (VMware Workstation, Hyper-V, VirtualBox) running internal DHCP services for virtual networks on developer or lab machines
Docker Desktop or Podman Desktop on developer workstations running DHCP for container bridge networks
Network testing tools used by administrators for DHCP scope capacity planning or network auditing (dhcpdump, dhcplease-watch)
pfSense, OPNsense, or similar software router appliances if monitored as endpoints in the EDR environment

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")
  (EventCode=1 OR EventCode=3 OR EventCode=13)
| eval lower_image=lower(Image)
| eval lower_cmdline=lower(CommandLine)
| eval lower_destip=coalesce(DestinationIp, "")
| eval lower_regval=lower(coalesce(Details, ""))
| eval lower_regkey=lower(coalesce(TargetObject, ""))
(
  (
    EventCode=3
    AND (DestinationPort=67 OR SourcePort=67)
    AND NOT (lower_image LIKE "%\\svchost.exe" OR lower_image="system")
  )
  OR
  (
    EventCode=1
    AND (
      match(lower_image, "(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6)")
      OR match(lower_cmdline, "(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6)")
      OR (match(lower_image, "(python|ruby|perl|bash|pwsh|powershell)") AND match(lower_cmdline, "(dhcp|bootp|rogue.*dhcp|dhcp.*spoof|mitm6|dhcp6)"))
    )
  )
  OR
  (
    EventCode=13
    AND match(lower_regkey, "tcpip\\\\parameters\\\\interfaces")
    AND match(lower_regkey, "(dhcpnameserver|nameserver|dhcpdefaultgateway)")
    AND NOT (lower_image LIKE "%\\svchost.exe" OR lower_image="system" OR lower_image LIKE "%\\lsass.exe")
  )
)
| eval DetectionType=case(
    EventCode=3 AND (DestinationPort=67 OR SourcePort=67), "DHCP_Port67_Binding",
    EventCode=1 AND match(lower_image, "(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6)"), "Known_DHCP_Attack_Tool",
    EventCode=1, "Interpreter_With_DHCP_Keywords",
    EventCode=13, "DHCP_DNS_Registry_Change",
    true(), "Unknown")
| eval RiskScore=case(
    DetectionType="Known_DHCP_Attack_Tool", 100,
    DetectionType="DHCP_Port67_Binding", 75,
    DetectionType="Interpreter_With_DHCP_Keywords", 60,
    DetectionType="DHCP_DNS_Registry_Change", 50,
    true(), 10)
| table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, SourcePort, TargetObject, Details, DetectionType, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Process: Process Creation Windows Registry: Windows Registry Key Modification Sysmon Event IDs 1, 3, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate DHCP servers running authorized DHCP services — add known DHCP server hostnames to an allowlist using NOT host IN (allowlist)
VMware, VirtualBox, or Hyper-V virtual network adapters running DHCP for guest VMs on developer workstations
Docker or Podman container bridge network DHCP services on developer or CI/CD build machines
Network administrators using packet crafting tools (Scapy, dhcpdump) for authorized network diagnostics
DHCP relay agents or helper-address configurations on routers that legitimately forward DHCP on port 67

Elastic Security (EQL)

eql

any where (
  /* Branch 1: Unauthorized process binding to UDP port 67 (DHCP server port) */
  (
    event.category == "network" and
    event.type == "start" and
    network.transport == "udp" and
    (destination.port == 67 or source.port == 67) and
    process.name != null and
    process.name != "svchost.exe" and
    process.name != "System"
  ) or
  /* Branch 2: Known DHCP attack tools or interpreters with DHCP-related keywords */
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.name in~ ("yersinia", "dhcpig", "gobbler", "dhcpstarv", "ettercap", "bettercap", "mitm6", "dhcp6") or
      process.command_line like~ "*yersinia*" or
      process.command_line like~ "*dhcpig*" or
      process.command_line like~ "*gobbler*" or
      process.command_line like~ "*dhcpstarv*" or
      process.command_line like~ "*ettercap*" or
      process.command_line like~ "*bettercap*" or
      process.command_line like~ "*mitm6*" or
      process.command_line like~ "*dhcp6*" or
      (
        process.name in~ ("python.exe", "python3", "python", "ruby", "perl", "bash", "sh", "pwsh.exe", "powershell.exe") and
        (
          process.command_line like~ "*dhcp*" or
          process.command_line like~ "*bootp*" or
          process.command_line like~ "*mitm6*" or
          process.command_line like~ "*dhcp6*"
        )
      )
    )
  ) or
  /* Branch 3: DHCP-pushed DNS/gateway registry modifications by non-system processes */
  (
    event.category == "registry" and
    event.type in ("change", "creation") and
    registry.path like~ "*\\Tcpip\\Parameters\\Interfaces\\*" and
    registry.value.name in~ ("DhcpNameServer", "NameServer", "DhcpDefaultGateway", "DhcpSubnetMaskOpt") and
    process.name != "svchost.exe" and
    process.name != "System" and
    process.name != "lsass.exe"
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Agent Winlogbeat with Sysmon module Auditbeat (Linux)

Required Tables

process network registry

False Positives

Authorized DHCP server software (ISC DHCPD, Windows DHCP Server service on a dedicated server) whose managing process is not svchost.exe — add host-level exclusions for designated DHCP infrastructure hostnames
Network security and monitoring tools (Wireshark, Scapy-based scripts, nmap with DHCP probe scripts) executed by authorized network engineers performing legitimate network audits or troubleshooting
IT configuration management agents (Ansible, Chef, Puppet, SCCM client) that use Python or PowerShell to manage DNS/gateway settings and may reference DHCP library names or keywords in their scripts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  destinationip,
  LONG(sourceport) AS source_port,
  LONG(destinationport) AS dest_port,
  QIDNAME(qid) AS event_name,
  "Process Image" AS process_image,
  "Command Line" AS command_line,
  "Target Object" AS registry_key,
  "Details" AS registry_value,
  CASE
    WHEN (LONG(destinationport) = 67 OR LONG(sourceport) = 67)
      AND LOWER("Process Image") NOT LIKE '%svchost.exe'
      AND LOWER("Process Image") != 'system'
      THEN 'DHCP_Port67_Binding'
    WHEN LOWER("Process Image") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
      THEN 'Known_DHCP_Attack_Tool'
    WHEN LOWER("Command Line") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
      THEN 'DHCP_Tool_In_CommandLine'
    WHEN LOWER("Target Object") MATCHES '.*tcpip.*parameters.*interfaces.*'
      THEN 'DHCP_DNS_Registry_Change'
    ELSE 'Interpreter_With_DHCP_Keywords'
  END AS detection_type,
  CASE
    WHEN LOWER("Process Image") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*' THEN 100
    WHEN (LONG(destinationport) = 67 OR LONG(sourceport) = 67) THEN 75
    WHEN LOWER("Command Line") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*' THEN 65
    WHEN LOWER("Command Line") MATCHES '.*(dhcp|bootp|mitm6|dhcp6|rogue).*' THEN 60
    ELSE 50
  END AS risk_score
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Sysmon', 'Microsoft Windows Security Event Log', 'Linux OS')
  AND (
    (
      (LONG(destinationport) = 67 OR LONG(sourceport) = 67)
      AND LOWER("Process Image") NOT LIKE '%svchost.exe'
      AND LOWER("Process Image") != 'system'
    )
    OR LOWER("Process Image") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
    OR LOWER("Command Line") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
    OR (
      LOWER("Process Image") MATCHES '.*(python|ruby|perl|bash|sh|pwsh|powershell).*'
      AND LOWER("Command Line") MATCHES '.*(dhcp|bootp|rogue|mitm6|dhcp6|dhcpstarv|dhcpig).*'
    )
    OR (
      LOWER("Target Object") MATCHES '.*tcpip.*parameters.*interfaces.*'
      AND (
        LOWER("Target Object") MATCHES '.*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*'
        OR LOWER("Details") MATCHES '.*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*'
      )
      AND LOWER("Process Image") NOT LIKE '%svchost.exe'
      AND LOWER("Process Image") != 'system'
      AND LOWER("Process Image") NOT LIKE '%lsass.exe'
    )
  )
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Sysmon DSM (Windows) Microsoft Windows Security Event Log DSM Linux OS DSM

Required Tables

events

False Positives

Authorized DHCP server or relay infrastructure whose management process differs from svchost.exe — whitelist known DHCP server IP addresses and hostnames in a QRadar reference set and add a NOT INCIDR() exclusion
Network engineering teams running port 67 probes with Scapy, nmap, or custom Python scripts during authorized network audits — correlate against change management records and authorized scanner asset groups
IT automation platforms (Ansible Tower, SCCM, Intune) using PowerShell or Python agents that reference DHCP library names during endpoint provisioning or DNS configuration management tasks

Sumo Logic CSE

sql

(_sourceCategory="os/windows/sysmon" OR _sourceCategory="windows/sysmon/operational" OR _sourceCategory="endpoint/windows/sysmon")
| parse regex "<EventID>(?P<event_id>\d+)</EventID>" nodrop
| parse regex "<Data Name='Image'>(?P<process_image>[^<]+)</Data>" nodrop
| parse regex "<Data Name='CommandLine'>(?P<command_line>[^<]+)</Data>" nodrop
| parse regex "<Data Name='DestinationPort'>(?P<dest_port>\d+)</Data>" nodrop
| parse regex "<Data Name='SourcePort'>(?P<source_port>\d+)</Data>" nodrop
| parse regex "<Data Name='TargetObject'>(?P<registry_key>[^<]+)</Data>" nodrop
| parse regex "<Data Name='Details'>(?P<registry_value>[^<]+)</Data>" nodrop
| parse regex "<Data Name='User'>(?P<username>[^<]+)</Data>" nodrop
| parse regex "<Data Name='Computer'>(?P<hostname>[^<]+)</Data>" nodrop
| where event_id in ("1","3","13")
| toLowerCase(process_image) as lower_image
| toLowerCase(command_line) as lower_cmdline
| toLowerCase(registry_key) as lower_regkey
| where (
    (
      event_id = "3"
      AND (dest_port = "67" OR source_port = "67")
      AND !(matches(lower_image, ".*svchost\.exe") OR lower_image = "system")
    )
    OR (
      event_id = "1"
      AND (
        matches(lower_image, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*")
        OR matches(lower_cmdline, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*")
        OR (
          matches(lower_image, ".*(python|ruby|perl|bash|sh|pwsh|powershell).*")
          AND matches(lower_cmdline, ".*(dhcp|bootp|mitm6|dhcp6|rogue|dhcpstarv|dhcpig).*")
        )
      )
    )
    OR (
      event_id = "13"
      AND matches(lower_regkey, ".*tcpip.*parameters.*interfaces.*")
      AND (
        matches(lower_regkey, ".*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*")
        OR matches(registry_value, ".*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*")
      )
      AND !(
        matches(lower_image, ".*svchost\.exe")
        OR lower_image = "system"
        OR matches(lower_image, ".*lsass\.exe")
      )
    )
  )
| if (event_id = "3" AND (dest_port = "67" OR source_port = "67"), "DHCP_Port67_Binding",
    if (matches(lower_image, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*"), "Known_DHCP_Attack_Tool",
        if (event_id = "13", "DHCP_DNS_Registry_Change",
            if (matches(lower_cmdline, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*"), "DHCP_Tool_In_CommandLine",
                "Interpreter_With_DHCP_Keywords")))) as detection_type
| if (detection_type = "Known_DHCP_Attack_Tool", 100,
    if (detection_type = "DHCP_Port67_Binding", 75,
        if (detection_type = "DHCP_Tool_In_CommandLine", 65,
            if (detection_type = "Interpreter_With_DHCP_Keywords", 60, 50)))) as risk_score
| fields _messageTime, hostname, username, process_image, command_line, dest_port, source_port, registry_key, registry_value, detection_type, risk_score
| sort by risk_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Sysmon XML events) Sumo Logic Cloud SIEM Enterprise endpoint normalization

Required Tables

_sourceCategory=os/windows/sysmon

False Positives

Authorized network device management processes on DHCP infrastructure servers that are not svchost.exe — create allowlist lookup tables by hostname and process name to suppress these sources
Security operations tooling (Tenable, Qualys, or custom Scapy-based network discovery scripts) run against the network for asset discovery that probe DHCP behavior on port 67
MDM or endpoint management platforms (Microsoft Intune, Jamf) that deploy PowerShell or Python scripts modifying DNS registry settings during device enrollment or policy enforcement

Google Chronicle / SecOps

yaral

rule t1557_003_dhcp_spoofing {
  meta:
    author = "Detection Engineering - Argus"
    description = "Detects DHCP spoofing (T1557.003) via unauthorized port 67 binding, known DHCP attack tool execution, script interpreters with DHCP keywords, and registry DNS config modification via rogue DHCP push"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1557.003"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "Windows, Linux"
    version = "1.0"

  events:
    (
      /* Branch 1: Unauthorized process binding to UDP port 67 */
      (
        $e.metadata.event_type = "NETWORK_CONNECTION" and
        ($e.target.port = 67 or $e.principal.port = 67) and
        $e.network.ip_protocol = "UDP" and
        not re.regex($e.principal.process.file.full_path, `(?i)[/\\]svchost\.exe$`) and
        $e.principal.process.file.full_path != "System"
      )
      or
      /* Branch 2a: Known DHCP attack tool — process name match */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path, `(?i)(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)`)
      )
      or
      /* Branch 2b: DHCP attack tool keyword in command line */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        not re.regex($e.target.process.file.full_path, `(?i)(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)`) and
        re.regex($e.target.process.command_line, `(?i)(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)`)
      )
      or
      /* Branch 2c: Script interpreter invoking DHCP attack libraries or keywords */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path, `(?i)[/\\](python[23]?|ruby|perl|bash|sh|pwsh|powershell)(\.exe)?$`) and
        re.regex($e.target.process.command_line, `(?i)(dhcp|bootp|rogue.*dhcp|dhcp.*spoof|mitm6|dhcp6|dhcpstarv|dhcpig)`)
      )
      or
      /* Branch 3: Registry DNS/gateway config modified by non-system process (DHCP-pushed settings) */
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION" and
        re.regex($e.target.registry.registry_key, `(?i)Tcpip\\Parameters\\Interfaces`) and
        re.regex($e.target.registry.registry_value_name, `(?i)^(DhcpNameServer|NameServer|DhcpDefaultGateway|DhcpSubnetMaskOpt)$`) and
        not re.regex($e.principal.process.file.full_path, `(?i)[/\\](svchost|lsass)\.exe$`) and
        $e.principal.process.file.full_path != "System"
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (via Endpoint Detection forwarding) Windows Event Forwarding to Chronicle CrowdStrike/SentinelOne/Carbon Black feeds to Chronicle

Required Tables

process network registry

False Positives

Legitimate DHCP server or relay processes on authorized network infrastructure whose executable path does not end in svchost.exe — add principal.hostname exclusions for known DHCP server assets using reference lists
Authorized red team or penetration testing engagements using Metasploit DHCP starvation modules or mitm6 — correlate against authorized testing windows stored in a Chronicle reference list keyed by source IP
IT provisioning workflows where MDM agents use Python or PowerShell to configure DNS entries or gateway settings during OS imaging, particularly when the script path contains keywords like 'dhcp_config' or 'dhcp_setup'

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|NetworkConnectIP4|NetworkConnectIP6)$/
| eval lower_image = lower(FileName)
| eval lower_cmdline = lower(CommandLine)
| case {
    /* Branch 1: Unauthorized process connecting to/from UDP port 67 */
    #event_simpleName = /^NetworkConnect/ {
      | where LocalPort = 67 OR RemotePort = 67
      | where lower_image != "svchost.exe" AND lower_image != "system"
      | eval DetectionType = "DHCP_Port67_Binding"
      | eval RiskScore = 75
    } ;
    /* Branch 2: Known DHCP attack tools or interpreters with DHCP keywords */
    #event_simpleName = "ProcessRollup2" {
      | where
          match(lower_image, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)")
          OR match(lower_cmdline, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)")
          OR (
            match(lower_image, regex="(python|ruby|perl|bash|sh|pwsh|powershell)")
            AND match(lower_cmdline, regex="(dhcp|bootp|mitm6|dhcp6|rogue|dhcpstarv|dhcpig)")
          )
      | eval IsKnownTool = if(
          match(lower_image, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)"),
          "true", "false")
      | eval IsCmdLineMatch = if(
          not match(lower_image, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)")
          AND match(lower_cmdline, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)"),
          "true", "false")
      | eval DetectionType = case(
          IsKnownTool = "true", "Known_DHCP_Attack_Tool",
          IsCmdLineMatch = "true", "DHCP_Tool_In_CommandLine",
          "Interpreter_With_DHCP_Keywords")
      | eval RiskScore = case(
          DetectionType = "Known_DHCP_Attack_Tool", 100,
          DetectionType = "DHCP_Tool_In_CommandLine", 65,
          60)
    }
  }
| table([@timestamp, ComputerName, UserName, UserSid, FileName, CommandLine, LocalIP, RemoteIP, LocalPort, RemotePort, SHA256HashData, MD5HashData, DetectionType, RiskScore])
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Agent (ProcessRollup2) CrowdStrike Falcon Network Events (NetworkConnectIP4, NetworkConnectIP6)

Required Tables

ProcessRollup2 NetworkConnectIP4 NetworkConnectIP6

False Positives

DHCP client renewal traffic and endpoint provisioning processes that are not svchost.exe — on Linux endpoints, dhclient or NetworkManager may legitimately use port 67 and should be baselined per environment
Authorized network assessment scripts using Scapy, Python's dhcppython library, or custom DHCP probing tools run by network engineers — identify authorized scanner hostnames and add ComputerName exclusions
Development and QA environments where engineers test DHCP protocol implementations using Python or Bash scripts that reference DHCP library imports or protocol keywords in their arguments

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB Relay T1557.002ARP Cache Poisoning T1557.004Evil Twin

DHCP Spoofing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections