Detect DHCP Spoofing in Microsoft Sentinel
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.003 DHCP Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1557/003/
KQL Detection Query
let RogueDHCPTools = dynamic(["yersinia", "dhcpig", "gobbler", "dhcpstarv", "ettercap", "bettercap", "mitm6", "dhcp6"]);
let ScriptInterpreters = dynamic(["python.exe", "python3", "python", "ruby", "perl", "bash", "sh", "pwsh.exe", "powershell.exe"]);
let DHCPKeywords = dynamic(["dhcp", "rogue", "responder", "bootp", "dhcpig", "dhcpstarv", "dhcp6", "mitm6"]);
// Branch 1: Unauthorized processes binding to UDP port 67 (DHCP server port)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where LocalPort == 67 or RemotePort == 67
| where Protocol == "Udp" or isnull(Protocol)
| where InitiatingProcessFileName !in~ ("svchost.exe", "System")
| extend IsKnownTool = InitiatingProcessFileName has_any (RogueDHCPTools)
| extend IsInterpreterWithDHCP = (InitiatingProcessFileName has_any (ScriptInterpreters)
and InitiatingProcessCommandLine has_any (DHCPKeywords))
| extend DetectionType = "DHCP_Port67_Binding"
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
ProcessName = InitiatingProcessFileName,
CommandLine = InitiatingProcessCommandLine,
LocalIP, RemoteIP, LocalPort, RemotePort,
IsKnownTool, IsInterpreterWithDHCP, DetectionType
| union (
// Branch 2: Known DHCP attack tool execution
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RogueDHCPTools)
or (FileName has_any (ScriptInterpreters) and ProcessCommandLine has_any (DHCPKeywords))
or ProcessCommandLine has_any (RogueDHCPTools)
or (ProcessCommandLine has "mitm6" or ProcessCommandLine has "dhcp6")
| extend IsKnownTool = FileName has_any (RogueDHCPTools)
| extend IsInterpreterWithDHCP = FileName has_any (ScriptInterpreters)
| extend DetectionType = "DHCP_Tool_Execution"
| project Timestamp, DeviceName, AccountName,
ProcessName = FileName, CommandLine = ProcessCommandLine,
LocalIP = "", RemoteIP = "", LocalPort = int(null), RemotePort = int(null),
IsKnownTool, IsInterpreterWithDHCP, DetectionType
)
| union (
// Branch 3: DNS configuration registry changes (DHCP-pushed malicious DNS indicator)
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Tcpip\\Parameters\\Interfaces"
| where RegistryValueName in~ ("DhcpNameServer", "NameServer", "DhcpDefaultGateway", "DhcpSubnetMaskOpt")
| where InitiatingProcessFileName !in~ ("svchost.exe", "System", "lsass.exe")
| extend IsKnownTool = false
| extend IsInterpreterWithDHCP = false
| extend DetectionType = "DHCP_DNS_Config_Change"
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
ProcessName = InitiatingProcessFileName,
CommandLine = strcat("Registry: ", RegistryKey, " => ", RegistryValueName, "=", RegistryValueData),
LocalIP = "", RemoteIP = "", LocalPort = int(null), RemotePort = int(null),
IsKnownTool, IsInterpreterWithDHCP, DetectionType
)
| sort by Timestamp descDetects DHCP spoofing activity across three detection branches: (1) unauthorized processes binding to UDP port 67 (the DHCP server port) — any process other than svchost.exe or System listening on port 67 is suspicious on a non-DHCP-server host; (2) execution of known DHCP attack tools (yersinia, dhcpig, gobbler, bettercap, mitm6) or script interpreters invoked with DHCP-related keywords; (3) unexpected DNS or gateway registry key modifications under TCPIP interface parameters that may indicate DHCP-pushed configuration from a rogue server. Uses DeviceNetworkEvents, DeviceProcessEvents, and DeviceRegistryEvents tables from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DHCP servers (Windows Server DHCP role, ISC DHCP) running on authorized servers — svchost.exe hosts the Windows DHCP service but other dedicated DHCP daemons may appear as unexpected processes
- Network virtualization software (VMware Workstation, Hyper-V, VirtualBox) running internal DHCP services for virtual networks on developer or lab machines
- Docker Desktop or Podman Desktop on developer workstations running DHCP for container bridge networks
- Network testing tools used by administrators for DHCP scope capacity planning or network auditing (dhcpdump, dhcplease-watch)
- pfSense, OPNsense, or similar software router appliances if monitored as endpoints in the EDR environment
Other platforms for T1557.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rogue DHCPv4 Server via Python Scapy
Expected signal: Sysmon EventCode=1: Process Create with Image=python3 and CommandLine containing 'scapy', 'BOOTP', 'DHCP', and 'sendp'. Sysmon EventCode=3: Network Connection from python3 to 255.255.255.255:68 on UDP port 67 (source). Linux auditd: SYSCALL records for socket() with AF_PACKET or AF_INET on port 67. Network: DHCP OFFER packet visible in packet capture with source IP not matching authorized DHCP server.
- Test 2mitm6 DHCPv6 Adversary-in-the-Middle Attack
Expected signal: Sysmon EventCode=1: Process Create with Image containing 'mitm6' or python3 with 'mitm6' in CommandLine. Sysmon EventCode=3: Network connections on UDP port 547 (DHCPv6 server port) from the mitm6 process. Linux auditd: socket() syscalls creating raw IPv6 sockets. Network: DHCPv6 REPLY packets visible in PCAP containing malicious recursive DNS server (Option 23) pointing to attacker-controlled IPv6 address.
- Test 3DHCP Starvation Attack with DHCPig
Expected signal: Sysmon EventCode=1: Process Create with python3 and DHCP/BOOTP keywords in CommandLine. Sysmon EventCode=3: High-volume UDP port 67 connections from python3 within a short time window. Linux auditd: Repeated socket() and sendto() syscalls at high frequency. Network: Burst of DHCP DISCOVER packets with varying source MACs visible in PCAP — this pattern is the signature of starvation attacks.
- Test 4Yersinia DHCP Attack Tool Execution
Expected signal: Sysmon EventCode=1: Process Create with Image='yersinia' or full path to yersinia binary. CommandLine contains '--help' or 'dhcp'. Linux auditd: execve() syscall for yersinia. The binary name 'yersinia' in process creation events is the primary indicator — this is a known attack tool with no legitimate administrative use case.
References (10)
- https://attack.mitre.org/techniques/T1557/003/
- https://datatracker.ietf.org/doc/html/rfc2131
- https://datatracker.ietf.org/doc/html/rfc3315
- https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800668(v=ws.11)
- https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
- https://github.com/dirkjanm/mitm6
- https://github.com/nicowillis/DHCPig
- https://attack.mitre.org/techniques/T1499/002/
- https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
Unlock Pro Content
Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.