title: DHCP Spoofing (T1557.003)
id: df00tech-t1557-003
status: experimental
description: "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials sent over insecure, unencrypted protocols. Rogue DHCP servers can distribute malicious DNS server addresses, default gateway settings, or WPAD proxy configuration that silently routes victim traffic through attacker-controlled infrastructure. DHCPv6 spoofing extends this to IPv6 networks via INFORMATION-REQUEST responses. Adversaries may also abuse DHCP to perform starvation attacks by exhausting the DHCP allocation pool with spoofed DISCOVER messages."
references:
  - https://attack.mitre.org/techniques/T1557/003/
  - https://df00tech.com/detections/T1557.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1557.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate DHCP servers (Windows Server DHCP role, ISC DHCP) running on authorized servers — svchost.exe hosts the Windows DHCP service but other dedicated DHCP daemons may appear as unexpected processes"
  - "Network virtualization software (VMware Workstation, Hyper-V, VirtualBox) running internal DHCP services for virtual networks on developer or lab machines"
  - Docker Desktop or Podman Desktop on developer workstations running DHCP for container bridge networks
  - "Network testing tools used by administrators for DHCP scope capacity planning or network auditing (dhcpdump, dhcplease-watch)"
  - "pfSense, OPNsense, or similar software router appliances if monitored as endpoints in the EDR environment"
level: high