Detect DHCP Spoofing in Google Chronicle
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.003 DHCP Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1557/003/
YARA-L Detection Query
rule t1557_003_dhcp_spoofing {
meta:
author = "Detection Engineering - Argus"
description = "Detects DHCP spoofing (T1557.003) via unauthorized port 67 binding, known DHCP attack tool execution, script interpreters with DHCP keywords, and registry DNS config modification via rogue DHCP push"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1557.003"
severity = "HIGH"
confidence = "HIGH"
platform = "Windows, Linux"
version = "1.0"
events:
(
/* Branch 1: Unauthorized process binding to UDP port 67 */
(
$e.metadata.event_type = "NETWORK_CONNECTION" and
($e.target.port = 67 or $e.principal.port = 67) and
$e.network.ip_protocol = "UDP" and
not re.regex($e.principal.process.file.full_path, `(?i)[/\\]svchost\.exe$`) and
$e.principal.process.file.full_path != "System"
)
or
/* Branch 2a: Known DHCP attack tool — process name match */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.target.process.file.full_path, `(?i)(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)`)
)
or
/* Branch 2b: DHCP attack tool keyword in command line */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
not re.regex($e.target.process.file.full_path, `(?i)(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)`) and
re.regex($e.target.process.command_line, `(?i)(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)`)
)
or
/* Branch 2c: Script interpreter invoking DHCP attack libraries or keywords */
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.target.process.file.full_path, `(?i)[/\\](python[23]?|ruby|perl|bash|sh|pwsh|powershell)(\.exe)?$`) and
re.regex($e.target.process.command_line, `(?i)(dhcp|bootp|rogue.*dhcp|dhcp.*spoof|mitm6|dhcp6|dhcpstarv|dhcpig)`)
)
or
/* Branch 3: Registry DNS/gateway config modified by non-system process (DHCP-pushed settings) */
(
$e.metadata.event_type = "REGISTRY_MODIFICATION" and
re.regex($e.target.registry.registry_key, `(?i)Tcpip\\Parameters\\Interfaces`) and
re.regex($e.target.registry.registry_value_name, `(?i)^(DhcpNameServer|NameServer|DhcpDefaultGateway|DhcpSubnetMaskOpt)$`) and
not re.regex($e.principal.process.file.full_path, `(?i)[/\\](svchost|lsass)\.exe$`) and
$e.principal.process.file.full_path != "System"
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1557.003 DHCP Spoofing across four event patterns using the Unified Data Model (UDM). Branch 1 detects unauthorized processes connecting via UDP to/from port 67. Branches 2a/2b/2c detect known DHCP attack tools by process path, command line, or interpreter with DHCP keywords. Branch 3 detects rogue DHCP-pushed DNS server or gateway modifications in the Windows registry by non-system processes. The condition fires on any single matching event.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DHCP server or relay processes on authorized network infrastructure whose executable path does not end in svchost.exe — add principal.hostname exclusions for known DHCP server assets using reference lists
- Authorized red team or penetration testing engagements using Metasploit DHCP starvation modules or mitm6 — correlate against authorized testing windows stored in a Chronicle reference list keyed by source IP
- IT provisioning workflows where MDM agents use Python or PowerShell to configure DNS entries or gateway settings during OS imaging, particularly when the script path contains keywords like 'dhcp_config' or 'dhcp_setup'
Other platforms for T1557.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rogue DHCPv4 Server via Python Scapy
Expected signal: Sysmon EventCode=1: Process Create with Image=python3 and CommandLine containing 'scapy', 'BOOTP', 'DHCP', and 'sendp'. Sysmon EventCode=3: Network Connection from python3 to 255.255.255.255:68 on UDP port 67 (source). Linux auditd: SYSCALL records for socket() with AF_PACKET or AF_INET on port 67. Network: DHCP OFFER packet visible in packet capture with source IP not matching authorized DHCP server.
- Test 2mitm6 DHCPv6 Adversary-in-the-Middle Attack
Expected signal: Sysmon EventCode=1: Process Create with Image containing 'mitm6' or python3 with 'mitm6' in CommandLine. Sysmon EventCode=3: Network connections on UDP port 547 (DHCPv6 server port) from the mitm6 process. Linux auditd: socket() syscalls creating raw IPv6 sockets. Network: DHCPv6 REPLY packets visible in PCAP containing malicious recursive DNS server (Option 23) pointing to attacker-controlled IPv6 address.
- Test 3DHCP Starvation Attack with DHCPig
Expected signal: Sysmon EventCode=1: Process Create with python3 and DHCP/BOOTP keywords in CommandLine. Sysmon EventCode=3: High-volume UDP port 67 connections from python3 within a short time window. Linux auditd: Repeated socket() and sendto() syscalls at high frequency. Network: Burst of DHCP DISCOVER packets with varying source MACs visible in PCAP — this pattern is the signature of starvation attacks.
- Test 4Yersinia DHCP Attack Tool Execution
Expected signal: Sysmon EventCode=1: Process Create with Image='yersinia' or full path to yersinia binary. CommandLine contains '--help' or 'dhcp'. Linux auditd: execve() syscall for yersinia. The binary name 'yersinia' in process creation events is the primary indicator — this is a known attack tool with no legitimate administrative use case.
References (10)
- https://attack.mitre.org/techniques/T1557/003/
- https://datatracker.ietf.org/doc/html/rfc2131
- https://datatracker.ietf.org/doc/html/rfc3315
- https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800668(v=ws.11)
- https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
- https://github.com/dirkjanm/mitm6
- https://github.com/nicowillis/DHCPig
- https://attack.mitre.org/techniques/T1499/002/
- https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
Unlock Pro Content
Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.