T1557.003 Splunk · SPL

Detect DHCP Spoofing in Splunk

Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.003 DHCP Spoofing
Canonical reference
https://attack.mitre.org/techniques/T1557/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")
  (EventCode=1 OR EventCode=3 OR EventCode=13)
| eval lower_image=lower(Image)
| eval lower_cmdline=lower(CommandLine)
| eval lower_destip=coalesce(DestinationIp, "")
| eval lower_regval=lower(coalesce(Details, ""))
| eval lower_regkey=lower(coalesce(TargetObject, ""))
(
  (
    EventCode=3
    AND (DestinationPort=67 OR SourcePort=67)
    AND NOT (lower_image LIKE "%\\svchost.exe" OR lower_image="system")
  )
  OR
  (
    EventCode=1
    AND (
      match(lower_image, "(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6)")
      OR match(lower_cmdline, "(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6)")
      OR (match(lower_image, "(python|ruby|perl|bash|pwsh|powershell)") AND match(lower_cmdline, "(dhcp|bootp|rogue.*dhcp|dhcp.*spoof|mitm6|dhcp6)"))
    )
  )
  OR
  (
    EventCode=13
    AND match(lower_regkey, "tcpip\\\\parameters\\\\interfaces")
    AND match(lower_regkey, "(dhcpnameserver|nameserver|dhcpdefaultgateway)")
    AND NOT (lower_image LIKE "%\\svchost.exe" OR lower_image="system" OR lower_image LIKE "%\\lsass.exe")
  )
)
| eval DetectionType=case(
    EventCode=3 AND (DestinationPort=67 OR SourcePort=67), "DHCP_Port67_Binding",
    EventCode=1 AND match(lower_image, "(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6)"), "Known_DHCP_Attack_Tool",
    EventCode=1, "Interpreter_With_DHCP_Keywords",
    EventCode=13, "DHCP_DNS_Registry_Change",
    true(), "Unknown")
| eval RiskScore=case(
    DetectionType="Known_DHCP_Attack_Tool", 100,
    DetectionType="DHCP_Port67_Binding", 75,
    DetectionType="Interpreter_With_DHCP_Keywords", 60,
    DetectionType="DHCP_DNS_Registry_Change", 50,
    true(), 10)
| table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, SourcePort, TargetObject, Details, DetectionType, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Detects DHCP spoofing across three event types using Sysmon logs: EventCode=3 (Network Connection) for processes binding to UDP port 67 other than svchost.exe or System; EventCode=1 (Process Create) for known DHCP attack tools (yersinia, dhcpig, bettercap, mitm6) or interpreters invoked with DHCP-related keywords; EventCode=13 (Registry Value Set) for unexpected modifications to TCPIP interface DNS or gateway registry keys that may reflect DHCP-pushed malicious configuration. Assigns risk scores to prioritize analyst review: known tools score 100, port 67 binding scores 75, interpreter patterns score 60, registry changes score 50.

Data Sources

Network Traffic: Network Traffic FlowProcess: Process CreationWindows Registry: Windows Registry Key ModificationSysmon Event IDs 1, 3, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate DHCP servers running authorized DHCP services — add known DHCP server hostnames to an allowlist using NOT host IN (allowlist)
  • VMware, VirtualBox, or Hyper-V virtual network adapters running DHCP for guest VMs on developer workstations
  • Docker or Podman container bridge network DHCP services on developer or CI/CD build machines
  • Network administrators using packet crafting tools (Scapy, dhcpdump) for authorized network diagnostics
  • DHCP relay agents or helper-address configurations on routers that legitimately forward DHCP on port 67
Download portable Sigma rule (.yml)

Other platforms for T1557.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rogue DHCPv4 Server via Python Scapy

    Expected signal: Sysmon EventCode=1: Process Create with Image=python3 and CommandLine containing 'scapy', 'BOOTP', 'DHCP', and 'sendp'. Sysmon EventCode=3: Network Connection from python3 to 255.255.255.255:68 on UDP port 67 (source). Linux auditd: SYSCALL records for socket() with AF_PACKET or AF_INET on port 67. Network: DHCP OFFER packet visible in packet capture with source IP not matching authorized DHCP server.

  2. Test 2mitm6 DHCPv6 Adversary-in-the-Middle Attack

    Expected signal: Sysmon EventCode=1: Process Create with Image containing 'mitm6' or python3 with 'mitm6' in CommandLine. Sysmon EventCode=3: Network connections on UDP port 547 (DHCPv6 server port) from the mitm6 process. Linux auditd: socket() syscalls creating raw IPv6 sockets. Network: DHCPv6 REPLY packets visible in PCAP containing malicious recursive DNS server (Option 23) pointing to attacker-controlled IPv6 address.

  3. Test 3DHCP Starvation Attack with DHCPig

    Expected signal: Sysmon EventCode=1: Process Create with python3 and DHCP/BOOTP keywords in CommandLine. Sysmon EventCode=3: High-volume UDP port 67 connections from python3 within a short time window. Linux auditd: Repeated socket() and sendto() syscalls at high frequency. Network: Burst of DHCP DISCOVER packets with varying source MACs visible in PCAP — this pattern is the signature of starvation attacks.

  4. Test 4Yersinia DHCP Attack Tool Execution

    Expected signal: Sysmon EventCode=1: Process Create with Image='yersinia' or full path to yersinia binary. CommandLine contains '--help' or 'dhcp'. Linux auditd: execve() syscall for yersinia. The binary name 'yersinia' in process creation events is the primary indicator — this is a known attack tool with no legitimate administrative use case.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1040Network SniffingT1565.002Transmitted Data ManipulationT1499.002Service Exhaustion FloodT1071.004DNST1090ProxyT1550.002Pass the HashT1187Forced Authentication

Same Tactic: Credential Access

Popular Detections