Detect DHCP Spoofing in Sumo Logic CSE
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.003 DHCP Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1557/003/
Sumo Detection Query
(_sourceCategory="os/windows/sysmon" OR _sourceCategory="windows/sysmon/operational" OR _sourceCategory="endpoint/windows/sysmon")
| parse regex "<EventID>(?P<event_id>\d+)</EventID>" nodrop
| parse regex "<Data Name='Image'>(?P<process_image>[^<]+)</Data>" nodrop
| parse regex "<Data Name='CommandLine'>(?P<command_line>[^<]+)</Data>" nodrop
| parse regex "<Data Name='DestinationPort'>(?P<dest_port>\d+)</Data>" nodrop
| parse regex "<Data Name='SourcePort'>(?P<source_port>\d+)</Data>" nodrop
| parse regex "<Data Name='TargetObject'>(?P<registry_key>[^<]+)</Data>" nodrop
| parse regex "<Data Name='Details'>(?P<registry_value>[^<]+)</Data>" nodrop
| parse regex "<Data Name='User'>(?P<username>[^<]+)</Data>" nodrop
| parse regex "<Data Name='Computer'>(?P<hostname>[^<]+)</Data>" nodrop
| where event_id in ("1","3","13")
| toLowerCase(process_image) as lower_image
| toLowerCase(command_line) as lower_cmdline
| toLowerCase(registry_key) as lower_regkey
| where (
(
event_id = "3"
AND (dest_port = "67" OR source_port = "67")
AND !(matches(lower_image, ".*svchost\.exe") OR lower_image = "system")
)
OR (
event_id = "1"
AND (
matches(lower_image, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*")
OR matches(lower_cmdline, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*")
OR (
matches(lower_image, ".*(python|ruby|perl|bash|sh|pwsh|powershell).*")
AND matches(lower_cmdline, ".*(dhcp|bootp|mitm6|dhcp6|rogue|dhcpstarv|dhcpig).*")
)
)
)
OR (
event_id = "13"
AND matches(lower_regkey, ".*tcpip.*parameters.*interfaces.*")
AND (
matches(lower_regkey, ".*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*")
OR matches(registry_value, ".*(dhcpnameserver|nameserver|dhcpdefaultgateway|dhcpsubnetmaskopt).*")
)
AND !(
matches(lower_image, ".*svchost\.exe")
OR lower_image = "system"
OR matches(lower_image, ".*lsass\.exe")
)
)
)
| if (event_id = "3" AND (dest_port = "67" OR source_port = "67"), "DHCP_Port67_Binding",
if (matches(lower_image, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*"), "Known_DHCP_Attack_Tool",
if (event_id = "13", "DHCP_DNS_Registry_Change",
if (matches(lower_cmdline, ".*(yersinia|dhcpig|gobbler|dhcpstarv|ettercap|bettercap|mitm6|dhcp6).*"), "DHCP_Tool_In_CommandLine",
"Interpreter_With_DHCP_Keywords")))) as detection_type
| if (detection_type = "Known_DHCP_Attack_Tool", 100,
if (detection_type = "DHCP_Port67_Binding", 75,
if (detection_type = "DHCP_Tool_In_CommandLine", 65,
if (detection_type = "Interpreter_With_DHCP_Keywords", 60, 50)))) as risk_score
| fields _messageTime, hostname, username, process_image, command_line, dest_port, source_port, registry_key, registry_value, detection_type, risk_score
| sort by risk_score desc, _messageTime descSumo Logic detection for T1557.003 DHCP Spoofing using regex parsing of raw Sysmon XML events. Covers Sysmon EventIDs 1 (process creation), 3 (network connection), and 13 (registry value set). Detects unauthorized port 67 binding by non-system processes, known DHCP attack tool execution, script interpreters with DHCP keyword arguments, and DNS/gateway registry poisoning via rogue DHCP server. Outputs risk score from 50 (registry change) to 100 (known tool match).
Data Sources
Required Tables
False Positives & Tuning
- Authorized network device management processes on DHCP infrastructure servers that are not svchost.exe — create allowlist lookup tables by hostname and process name to suppress these sources
- Security operations tooling (Tenable, Qualys, or custom Scapy-based network discovery scripts) run against the network for asset discovery that probe DHCP behavior on port 67
- MDM or endpoint management platforms (Microsoft Intune, Jamf) that deploy PowerShell or Python scripts modifying DNS registry settings during device enrollment or policy enforcement
Other platforms for T1557.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rogue DHCPv4 Server via Python Scapy
Expected signal: Sysmon EventCode=1: Process Create with Image=python3 and CommandLine containing 'scapy', 'BOOTP', 'DHCP', and 'sendp'. Sysmon EventCode=3: Network Connection from python3 to 255.255.255.255:68 on UDP port 67 (source). Linux auditd: SYSCALL records for socket() with AF_PACKET or AF_INET on port 67. Network: DHCP OFFER packet visible in packet capture with source IP not matching authorized DHCP server.
- Test 2mitm6 DHCPv6 Adversary-in-the-Middle Attack
Expected signal: Sysmon EventCode=1: Process Create with Image containing 'mitm6' or python3 with 'mitm6' in CommandLine. Sysmon EventCode=3: Network connections on UDP port 547 (DHCPv6 server port) from the mitm6 process. Linux auditd: socket() syscalls creating raw IPv6 sockets. Network: DHCPv6 REPLY packets visible in PCAP containing malicious recursive DNS server (Option 23) pointing to attacker-controlled IPv6 address.
- Test 3DHCP Starvation Attack with DHCPig
Expected signal: Sysmon EventCode=1: Process Create with python3 and DHCP/BOOTP keywords in CommandLine. Sysmon EventCode=3: High-volume UDP port 67 connections from python3 within a short time window. Linux auditd: Repeated socket() and sendto() syscalls at high frequency. Network: Burst of DHCP DISCOVER packets with varying source MACs visible in PCAP — this pattern is the signature of starvation attacks.
- Test 4Yersinia DHCP Attack Tool Execution
Expected signal: Sysmon EventCode=1: Process Create with Image='yersinia' or full path to yersinia binary. CommandLine contains '--help' or 'dhcp'. Linux auditd: execve() syscall for yersinia. The binary name 'yersinia' in process creation events is the primary indicator — this is a known attack tool with no legitimate administrative use case.
References (10)
- https://attack.mitre.org/techniques/T1557/003/
- https://datatracker.ietf.org/doc/html/rfc2131
- https://datatracker.ietf.org/doc/html/rfc3315
- https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800668(v=ws.11)
- https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
- https://github.com/dirkjanm/mitm6
- https://github.com/nicowillis/DHCPig
- https://attack.mitre.org/techniques/T1499/002/
- https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
Unlock Pro Content
Get the full detection package for T1557.003 including response playbook, investigation guide, and atomic red team tests.