DET0468 Detect DHCP Spoofing Across Linux, Windows, and macOS
| Item |
Value |
| ID |
DET0468 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1557.003 (DHCP Spoofing)
Analytics
Windows
AN1290
Detects rogue DHCP server activity and anomalous DHCP OFFER/ACK messages assigning unexpected DNS or gateway values. Detection correlates DHCP server role changes, DHCP exhaustion warnings, and sudden network configuration changes across endpoints.
Log Sources
Mutable Elements
| Field |
Description |
| AuthorizedDHCPServers |
List of known DHCP servers; unexpected sources are suspicious. |
| TimeWindow |
Interval to correlate DHCP OFFER/ACK anomalies with subsequent misconfigurations. |
Linux
AN1291
Detects rogue DHCP activity by monitoring syslog for dhclient messages assigning unauthorized DNS/gateway values. Packet capture or IDS can detect multiple competing DHCP OFFERs from non-authorized servers.
Log Sources
Mutable Elements
| Field |
Description |
| AllowedDHCPMACs |
Expected MAC addresses of DHCP servers on subnet. |
| DHCPLeaseChangeThreshold |
Number of suspicious DHCP leases before raising an alert. |
macOS
AN1292
Detects DHCP spoofing by monitoring unified logs for unexpected DHCP ACK/OFFER parameters and correlating with packet captures for multiple DHCP servers. Behavioral emphasis is on inconsistent DNS and gateway assignments that redirect traffic.
Log Sources
Mutable Elements
| Field |
Description |
| BaselineDNS |
Expected DNS server list; deviations may indicate spoofing. |
| AlertSensitivity |
Threshold for number of anomalous DHCP responses before alerting. |