LoFP / this search might be prone to high false positives if dhcp snooping has been incorrectly configured or in the unlikely event that the dhcp server has been moved to another network interface.

Techniques

• T1200
• T1498
• T1557

Sample rules

Detect Rogue DHCP Server

• source: splunk
• technicques:
  • T1200
  • T1498
  • T1557

Description

The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network.

Detection logic

`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" 
| stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `detect_rogue_dhcp_server_filter`