Detect DHCP Spoofing in IBM QRadar
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.003 DHCP Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1557/003/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
sourceip,
destinationip,
LONG(sourceport) AS source_port,
LONG(destinationport) AS dest_port,
QIDNAME(qid) AS event_name,
"Process Image" AS process_image,
"Command Line" AS command_line,
"Target Object" AS registry_key,
"Details" AS registry_value,
CASE
WHEN (LONG(destinationport) = 67 OR LONG(sourceport) = 67)
AND LOWER("Process Image") NOT LIKE '%svchost.exe'
AND LOWER("Process Image") != 'system'
THEN 'DHCP_Port67_Binding'
WHEN LOWER("Process Image") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
THEN 'Known_DHCP_Attack_Tool'
WHEN LOWER("Command Line") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
THEN 'DHCP_Tool_In_CommandLine'
WHEN LOWER("Target Object") MATCHES '.*tcpip.*parameters.*interfaces.*'
THEN 'DHCP_DNS_Registry_Change'
ELSE 'Interpreter_With_DHCP_Keywords'
END AS detection_type,
CASE
WHEN LOWER("Process Image") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*' THEN 100
WHEN (LONG(destinationport) = 67 OR LONG(sourceport) = 67) THEN 75
WHEN LOWER("Command Line") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*' THEN 65
WHEN LOWER("Command Line") MATCHES '.*(dhcp|bootp|mitm6|dhcp6|rogue).*' THEN 60
ELSE 50
END AS risk_score
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Sysmon', 'Microsoft Windows Security Event Log', 'Linux OS')
AND (
(
(LONG(destinationport) = 67 OR LONG(sourceport) = 67)
AND LOWER("Process Image") NOT LIKE '%svchost.exe'
AND LOWER("Process Image") != 'system'
)
OR LOWER("Process Image") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
OR LOWER("Command Line") MATCHES '.*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*'
OR (
LOWER("Process Image") MATCHES '.*(python|ruby|perl|bash|sh|pwsh|powershell).*'
AND LOWER("Command Line") MATCHES '.*(dhcp|bootp|rogue|mitm6|dhcp6|dhcpstarv|dhcpig).*'
)
OR (
LOWER("Target Object") MATCHES '.*tcpip.*parameters.*interfaces.*'
AND (
LOWER("Target Object") MATCHES '.*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*'
OR LOWER("Details") MATCHES '.*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*'
)
AND LOWER("Process Image") NOT LIKE '%svchost.exe'
AND LOWER("Process Image") != 'system'
AND LOWER("Process Image") NOT LIKE '%lsass.exe'
)
)
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURSQRadar AQL query detecting T1557.003 DHCP Spoofing from Sysmon and Windows Security event log sources. Covers all three detection branches: unauthorized processes binding UDP port 67, known DHCP attack tool execution (yersinia, dhcpig, gobbler, dhcpstarv, ettercap, bettercap, mitm6, dhcp6), script interpreters with DHCP attack keywords, and registry DNS configuration modifications under Tcpip\Parameters\Interfaces by non-system processes. Custom properties 'Process Image', 'Command Line', 'Target Object', and 'Details' must be mapped from Sysmon DSM in QRadar. Risk scored 50–100.
Data Sources
Required Tables
False Positives & Tuning
- Authorized DHCP server or relay infrastructure whose management process differs from svchost.exe — whitelist known DHCP server IP addresses and hostnames in a QRadar reference set and add a NOT INCIDR() exclusion
- Network engineering teams running port 67 probes with Scapy, nmap, or custom Python scripts during authorized network audits — correlate against change management records and authorized scanner asset groups
- IT automation platforms (Ansible Tower, SCCM, Intune) using PowerShell or Python agents that reference DHCP library names during endpoint provisioning or DNS configuration management tasks
Other platforms for T1557.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rogue DHCPv4 Server via Python Scapy
Expected signal: Sysmon EventCode=1: Process Create with Image=python3 and CommandLine containing 'scapy', 'BOOTP', 'DHCP', and 'sendp'. Sysmon EventCode=3: Network Connection from python3 to 255.255.255.255:68 on UDP port 67 (source). Linux auditd: SYSCALL records for socket() with AF_PACKET or AF_INET on port 67. Network: DHCP OFFER packet visible in packet capture with source IP not matching authorized DHCP server.
- Test 2mitm6 DHCPv6 Adversary-in-the-Middle Attack
Expected signal: Sysmon EventCode=1: Process Create with Image containing 'mitm6' or python3 with 'mitm6' in CommandLine. Sysmon EventCode=3: Network connections on UDP port 547 (DHCPv6 server port) from the mitm6 process. Linux auditd: socket() syscalls creating raw IPv6 sockets. Network: DHCPv6 REPLY packets visible in PCAP containing malicious recursive DNS server (Option 23) pointing to attacker-controlled IPv6 address.
- Test 3DHCP Starvation Attack with DHCPig
Expected signal: Sysmon EventCode=1: Process Create with python3 and DHCP/BOOTP keywords in CommandLine. Sysmon EventCode=3: High-volume UDP port 67 connections from python3 within a short time window. Linux auditd: Repeated socket() and sendto() syscalls at high frequency. Network: Burst of DHCP DISCOVER packets with varying source MACs visible in PCAP — this pattern is the signature of starvation attacks.
- Test 4Yersinia DHCP Attack Tool Execution
Expected signal: Sysmon EventCode=1: Process Create with Image='yersinia' or full path to yersinia binary. CommandLine contains '--help' or 'dhcp'. Linux auditd: execve() syscall for yersinia. The binary name 'yersinia' in process creation events is the primary indicator — this is a known attack tool with no legitimate administrative use case.
References (10)
- https://attack.mitre.org/techniques/T1557/003/
- https://datatracker.ietf.org/doc/html/rfc2131
- https://datatracker.ietf.org/doc/html/rfc3315
- https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800668(v=ws.11)
- https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
- https://github.com/dirkjanm/mitm6
- https://github.com/nicowillis/DHCPig
- https://attack.mitre.org/techniques/T1499/002/
- https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
Unlock Pro Content
Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.