T1557.003 CrowdStrike LogScale · LogScale

Detect DHCP Spoofing in CrowdStrike LogScale

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.003 DHCP Spoofing
Canonical reference
https://attack.mitre.org/techniques/T1557/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = /^(ProcessRollup2|NetworkConnectIP4|NetworkConnectIP6)$/
| eval lower_image = lower(FileName)
| eval lower_cmdline = lower(CommandLine)
| case {
    /* Branch 1: Unauthorized process connecting to/from UDP port 67 */
    #event_simpleName = /^NetworkConnect/ {
      | where LocalPort = 67 OR RemotePort = 67
      | where lower_image != "svchost.exe" AND lower_image != "system"
      | eval DetectionType = "DHCP_Port67_Binding"
      | eval RiskScore = 75
    } ;
    /* Branch 2: Known DHCP attack tools or interpreters with DHCP keywords */
    #event_simpleName = "ProcessRollup2" {
      | where
          match(lower_image, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)")
          OR match(lower_cmdline, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)")
          OR (
            match(lower_image, regex="(python|ruby|perl|bash|sh|pwsh|powershell)")
            AND match(lower_cmdline, regex="(dhcp|bootp|mitm6|dhcp6|rogue|dhcpstarv|dhcpig)")
          )
      | eval IsKnownTool = if(
          match(lower_image, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)"),
          "true", "false")
      | eval IsCmdLineMatch = if(
          not match(lower_image, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)")
          AND match(lower_cmdline, regex="(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6)"),
          "true", "false")
      | eval DetectionType = case(
          IsKnownTool = "true", "Known_DHCP_Attack_Tool",
          IsCmdLineMatch = "true", "DHCP_Tool_In_CommandLine",
          "Interpreter_With_DHCP_Keywords")
      | eval RiskScore = case(
          DetectionType = "Known_DHCP_Attack_Tool", 100,
          DetectionType = "DHCP_Tool_In_CommandLine", 65,
          60)
    }
  }
| table([@timestamp, ComputerName, UserName, UserSid, FileName, CommandLine, LocalIP, RemoteIP, LocalPort, RemotePort, SHA256HashData, MD5HashData, DetectionType, RiskScore])
| sort(RiskScore, order=desc)
high severity medium confidence

CrowdStrike Falcon LogScale (CQL) detection for T1557.003 DHCP Spoofing across two sensor event types. NetworkConnectIP4/IP6 events flag unauthorized processes making connections to or from UDP port 67, excluding svchost.exe and System. ProcessRollup2 events match known DHCP attack tool names in the process image path, DHCP tool keywords in command lines, or script interpreters (Python, Perl, Ruby, Bash, PowerShell) with DHCP-related arguments. Note: Registry branch (DhcpNameServer changes) is not covered by these Falcon event types — complement with AsepValueUpdate or use Custom IOA rules targeting registry writes to Tcpip\Parameters\Interfaces.

Data Sources

CrowdStrike Falcon Endpoint Agent (ProcessRollup2)CrowdStrike Falcon Network Events (NetworkConnectIP4, NetworkConnectIP6)

Required Tables

ProcessRollup2NetworkConnectIP4NetworkConnectIP6

False Positives & Tuning

  • DHCP client renewal traffic and endpoint provisioning processes that are not svchost.exe — on Linux endpoints, dhclient or NetworkManager may legitimately use port 67 and should be baselined per environment
  • Authorized network assessment scripts using Scapy, Python's dhcppython library, or custom DHCP probing tools run by network engineers — identify authorized scanner hostnames and add ComputerName exclusions
  • Development and QA environments where engineers test DHCP protocol implementations using Python or Bash scripts that reference DHCP library imports or protocol keywords in their arguments
Download portable Sigma rule (.yml)

Other platforms for T1557.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rogue DHCPv4 Server via Python Scapy

    Expected signal: Sysmon EventCode=1: Process Create with Image=python3 and CommandLine containing 'scapy', 'BOOTP', 'DHCP', and 'sendp'. Sysmon EventCode=3: Network Connection from python3 to 255.255.255.255:68 on UDP port 67 (source). Linux auditd: SYSCALL records for socket() with AF_PACKET or AF_INET on port 67. Network: DHCP OFFER packet visible in packet capture with source IP not matching authorized DHCP server.

  2. Test 2mitm6 DHCPv6 Adversary-in-the-Middle Attack

    Expected signal: Sysmon EventCode=1: Process Create with Image containing 'mitm6' or python3 with 'mitm6' in CommandLine. Sysmon EventCode=3: Network connections on UDP port 547 (DHCPv6 server port) from the mitm6 process. Linux auditd: socket() syscalls creating raw IPv6 sockets. Network: DHCPv6 REPLY packets visible in PCAP containing malicious recursive DNS server (Option 23) pointing to attacker-controlled IPv6 address.

  3. Test 3DHCP Starvation Attack with DHCPig

    Expected signal: Sysmon EventCode=1: Process Create with python3 and DHCP/BOOTP keywords in CommandLine. Sysmon EventCode=3: High-volume UDP port 67 connections from python3 within a short time window. Linux auditd: Repeated socket() and sendto() syscalls at high frequency. Network: Burst of DHCP DISCOVER packets with varying source MACs visible in PCAP — this pattern is the signature of starvation attacks.

  4. Test 4Yersinia DHCP Attack Tool Execution

    Expected signal: Sysmon EventCode=1: Process Create with Image='yersinia' or full path to yersinia binary. CommandLine contains '--help' or 'dhcp'. Linux auditd: execve() syscall for yersinia. The binary name 'yersinia' in process creation events is the primary indicator — this is a known attack tool with no legitimate administrative use case.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1040Network SniffingT1565.002Transmitted Data ManipulationT1499.002Service Exhaustion FloodT1071.004DNST1090ProxyT1550.002Pass the HashT1187Forced Authentication

Same Tactic: Credential Access

Popular Detections