1. Home
  2. Detection Strategies
  3. Detect DHCP Spoofing Across Linux, Windows, and macOS

Detect DHCP Spoofing Across Linux, Windows, and macOS

Technique Detected:  DHCP Spoofing | T1557.003

ID: DET0468
Domains: Enterprise
Analytics: AN1290, AN1291, AN1292
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1290

Detects rogue DHCP server activity and anomalous DHCP OFFER/ACK messages assigning unexpected DNS or gateway values. Detection correlates DHCP server role changes, DHCP exhaustion warnings, and sudden network configuration changes across endpoints.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) WinEventLog:System EventCode=1341,1342,1020,1063
Network Traffic Content (DC0085) NSM:Flow DHCP OFFER or ACK with unauthorized DNS/gateway parameters
Mutable Elements
Field Description
AuthorizedDHCPServers List of known DHCP servers; unexpected sources are suspicious.
TimeWindow Interval to correlate DHCP OFFER/ACK anomalies with subsequent misconfigurations.

AN1291

Detects rogue DHCP activity by monitoring syslog for dhclient messages assigning unauthorized DNS/gateway values. Packet capture or IDS can detect multiple competing DHCP OFFERs from non-authorized servers.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) linux:syslog suspicious DHCP lease assignment with unexpected DNS or gateway
Network Traffic Flow (DC0078) NSM:Flow Gratuitous or duplicate DHCP OFFER packets from non-legitimate servers
Mutable Elements
Field Description
AllowedDHCPMACs Expected MAC addresses of DHCP servers on subnet.
DHCPLeaseChangeThreshold Number of suspicious DHCP leases before raising an alert.

AN1292

Detects DHCP spoofing by monitoring unified logs for unexpected DHCP ACK/OFFER parameters and correlating with packet captures for multiple DHCP servers. Behavioral emphasis is on inconsistent DNS and gateway assignments that redirect traffic.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog new DHCP configuration with anomalous DNS or router values
Network Traffic Content (DC0085) NSM:Flow Multiple DHCP OFFER responses for a single DISCOVER
Mutable Elements
Field Description
BaselineDNS Expected DNS server list; deviations may indicate spoofing.
AlertSensitivity Threshold for number of anomalous DHCP responses before alerting.