T1557.003 Elastic Security · Elastic

Detect DHCP Spoofing in Elastic Security

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.003 DHCP Spoofing
Canonical reference
https://attack.mitre.org/techniques/T1557/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  /* Branch 1: Unauthorized process binding to UDP port 67 (DHCP server port) */
  (
    event.category == "network" and
    event.type == "start" and
    network.transport == "udp" and
    (destination.port == 67 or source.port == 67) and
    process.name != null and
    process.name != "svchost.exe" and
    process.name != "System"
  ) or
  /* Branch 2: Known DHCP attack tools or interpreters with DHCP-related keywords */
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.name in~ ("yersinia", "dhcpig", "gobbler", "dhcpstarv", "ettercap", "bettercap", "mitm6", "dhcp6") or
      process.command_line like~ "*yersinia*" or
      process.command_line like~ "*dhcpig*" or
      process.command_line like~ "*gobbler*" or
      process.command_line like~ "*dhcpstarv*" or
      process.command_line like~ "*ettercap*" or
      process.command_line like~ "*bettercap*" or
      process.command_line like~ "*mitm6*" or
      process.command_line like~ "*dhcp6*" or
      (
        process.name in~ ("python.exe", "python3", "python", "ruby", "perl", "bash", "sh", "pwsh.exe", "powershell.exe") and
        (
          process.command_line like~ "*dhcp*" or
          process.command_line like~ "*bootp*" or
          process.command_line like~ "*mitm6*" or
          process.command_line like~ "*dhcp6*"
        )
      )
    )
  ) or
  /* Branch 3: DHCP-pushed DNS/gateway registry modifications by non-system processes */
  (
    event.category == "registry" and
    event.type in ("change", "creation") and
    registry.path like~ "*\\Tcpip\\Parameters\\Interfaces\\*" and
    registry.value.name in~ ("DhcpNameServer", "NameServer", "DhcpDefaultGateway", "DhcpSubnetMaskOpt") and
    process.name != "svchost.exe" and
    process.name != "System" and
    process.name != "lsass.exe"
  )
)
high severity high confidence

Detects T1557.003 DHCP Spoofing across three branches using ECS-normalized events: (1) unauthorized processes binding to UDP port 67, (2) known DHCP attack tools (yersinia, dhcpig, gobbler, dhcpstarv, ettercap, bettercap, mitm6, dhcp6) or script interpreters with DHCP-related command-line keywords, and (3) suspicious modifications to DNS server or gateway registry entries under Tcpip\Parameters\Interfaces by non-system processes, which indicates a rogue DHCP server pushing malicious DNS configuration.

Data Sources

Elastic Endpoint Security AgentWinlogbeat with Sysmon moduleAuditbeat (Linux)

Required Tables

processnetworkregistry

False Positives & Tuning

  • Authorized DHCP server software (ISC DHCPD, Windows DHCP Server service on a dedicated server) whose managing process is not svchost.exe — add host-level exclusions for designated DHCP infrastructure hostnames
  • Network security and monitoring tools (Wireshark, Scapy-based scripts, nmap with DHCP probe scripts) executed by authorized network engineers performing legitimate network audits or troubleshooting
  • IT configuration management agents (Ansible, Chef, Puppet, SCCM client) that use Python or PowerShell to manage DNS/gateway settings and may reference DHCP library names or keywords in their scripts
Download portable Sigma rule (.yml)

Other platforms for T1557.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rogue DHCPv4 Server via Python Scapy

    Expected signal: Sysmon EventCode=1: Process Create with Image=python3 and CommandLine containing 'scapy', 'BOOTP', 'DHCP', and 'sendp'. Sysmon EventCode=3: Network Connection from python3 to 255.255.255.255:68 on UDP port 67 (source). Linux auditd: SYSCALL records for socket() with AF_PACKET or AF_INET on port 67. Network: DHCP OFFER packet visible in packet capture with source IP not matching authorized DHCP server.

  2. Test 2mitm6 DHCPv6 Adversary-in-the-Middle Attack

    Expected signal: Sysmon EventCode=1: Process Create with Image containing 'mitm6' or python3 with 'mitm6' in CommandLine. Sysmon EventCode=3: Network connections on UDP port 547 (DHCPv6 server port) from the mitm6 process. Linux auditd: socket() syscalls creating raw IPv6 sockets. Network: DHCPv6 REPLY packets visible in PCAP containing malicious recursive DNS server (Option 23) pointing to attacker-controlled IPv6 address.

  3. Test 3DHCP Starvation Attack with DHCPig

    Expected signal: Sysmon EventCode=1: Process Create with python3 and DHCP/BOOTP keywords in CommandLine. Sysmon EventCode=3: High-volume UDP port 67 connections from python3 within a short time window. Linux auditd: Repeated socket() and sendto() syscalls at high frequency. Network: Burst of DHCP DISCOVER packets with varying source MACs visible in PCAP — this pattern is the signature of starvation attacks.

  4. Test 4Yersinia DHCP Attack Tool Execution

    Expected signal: Sysmon EventCode=1: Process Create with Image='yersinia' or full path to yersinia binary. CommandLine contains '--help' or 'dhcp'. Linux auditd: execve() syscall for yersinia. The binary name 'yersinia' in process creation events is the primary indicator — this is a known attack tool with no legitimate administrative use case.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1040Network SniffingT1565.002Transmitted Data ManipulationT1499.002Service Exhaustion FloodT1071.004DNST1090ProxyT1550.002Pass the HashT1187Forced Authentication

Same Tactic: Credential Access

Popular Detections