Multiple DHCP Servers Responding to the Same Transaction

  1[metadata]
  2creation_date = "2026/06/09"
  3integration = ["network_traffic"]
  4maturity = "production"
  5updated_date = "2026/06/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies two or more distinct DHCP servers sending an OFFER or ACK for the same transaction ID (xid) within a short
 11window, indicating a rogue DHCP server racing the legitimate one to win the client's handshake. This is the rogue-DHCP /
 12adversary-in-the-middle precondition (T1557.003) and is operating-system agnostic, since it keys only on server behavior
 13observed on the wire. Winning the race lets an attacker intercept traffic via a hostile gateway/DNS, bypass a VPN
 14(TunnelVision), or deliver a malformed response that exploits the client's DHCP parser for code execution.
 15"""
 16from = "now-9m"
 17language = "esql"
 18license = "Elastic License v2"
 19name = "Multiple DHCP Servers Responding to the Same Transaction"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating Multiple DHCP Servers Responding to the Same Transaction
 26
 27DHCP is plaintext UDP and fully visible to any sensor on the broadcast segment. A rogue server (or an injected response
 28on the victim's L2 broadcast domain) that answers a transaction the legitimate server already owns is the defining
 29precondition for DHCP-based adversary-in-the-middle and for malformed-option client exploits. This rule flags exactly
 30that: two or more distinct server source IPs producing an OFFER/ACK for one transaction ID inside the same 30-second
 31window, and is operating-system agnostic, since it keys only on server behavior observed on the wire.
 32
 33### Possible investigation steps
 34
 35- Identify the server source IPs in `Esql.values_server_ips` and `Esql.values_server_identifiers`. Determine which is
 36  the sanctioned DHCP server and which is unexpected.
 37- Locate the rogue server on the segment (switch CAM/ARP tables, port, VLAN). It is on the same broadcast domain as the
 38  victim by definition.
 39- Inspect the rogue OFFER/ACK options for an oversized or malformed payload (the overflow trigger) and for hostile
 40  configuration such as an attacker-controlled default gateway (option 3), DNS server (option 6), WPAD/proxy
 41  auto-config (option 252), or classless static routes (option 121, TunnelVision-style VPN bypass).
 42- Identify the client(s) acquiring leases on the segment (any OS, including Windows, Linux, macOS, iOS, IoT) and review their
 43  endpoint telemetry for DHCP client service crashes, unexpected route/DNS/gateway changes, or follow-on code execution.
 44  Where the target OS and DHCP client are known, check whether they are unpatched for the relevant CVE (e.g.
 45  CVE-2026-44815 on Windows, CVE-2018-5732 on ISC dhclient).
 46
 47### False positive analysis
 48
 49- DHCP failover pairs (Microsoft or ISC) are designed so that, for a given transaction, only one peer answers; two
 50  peers answering the same xid within 30 seconds is not normal failover behavior. If a known active-active or
 51  load-balancing architecture genuinely does this, add its server IPs to an exception.
 52- DHCP relay agents forward responses but the relayed source is the relay, and a single server still owns each
 53  transaction. Anycast/VIP DHCP designs that present multiple real backend IPs on the wire are rare and would be a known
 54  architectural fact, which can be excepted by those IPs.
 55
 56### Response and remediation
 57
 58- Remove the rogue DHCP server from the segment, then patch the affected client DHCP stacks (e.g. June 2026 Patch
 59  Tuesday for CVE-2026-44815 on Windows, or the fixed ISC dhclient for CVE-2018-5732 on Linux/Unix).
 60- Enable DHCP snooping on managed switches and restrict DHCP server responses to authorized server ports/MACs as a
 61  compensating control, which protects clients of every OS and also mitigates TunnelVision-style route injection.
 62"""
 63references = [
 64    "https://nvd.nist.gov/vuln/detail/CVE-2026-44815",
 65    "https://nvd.nist.gov/vuln/detail/CVE-2024-3661",
 66    "https://www.leviathansecurity.com/blog/tunnelvision",
 67    "https://nvd.nist.gov/vuln/detail/CVE-2018-5732",
 68    "https://msrc.microsoft.com/update-guide",
 69]
 70risk_score = 73
 71rule_id = "44b8d933-8fed-485d-a0af-bd97d0093439"
 72setup = """## Setup
 73
 74This rule requires the Elastic network_traffic (Packetbeat) integration capturing DHCP (UDP 67/68) on the broadcast
 75segment where clients acquire/renew leases, either Packetbeat running on the segment or a SPAN/mirror feeding it. A
 76sensor not on the same L2 broadcast domain (or not behind the relevant DHCP relay) will not observe competing OFFER/ACK
 77packets.
 78
 79Zeek is intentionally not supported: the zeek.dhcp data stream does not expose a transaction ID and aggregates a full
 80DORA exchange into one record, so the per-transaction server-count comparison cannot be expressed on it.
 81"""
 82severity = "high"
 83tags = [
 84    "Domain: Network",
 85    "Domain: Endpoint",
 86    "Use Case: Threat Detection",
 87    "Use Case: Vulnerability",
 88    "Use Case: Network Security Monitoring",
 89    "Tactic: Credential Access",
 90    "Tactic: Execution",
 91    "Data Source: Network Traffic",
 92    "Resources: Investigation Guide",
 93]
 94timestamp_override = "event.ingested"
 95type = "esql"
 96
 97query = '''
 98from logs-network_traffic.dhcpv4-*, packetbeat-*
 99| eval
100    message_type = TO_LOWER(COALESCE(network_traffic.dhcpv4.option.message_type, dhcpv4.option.message_type)),
101    Esql.transaction_id = COALESCE(network_traffic.dhcpv4.transaction_id, dhcpv4.transaction_id),
102    server_identifier = COALESCE(network_traffic.dhcpv4.option.server_identifier, dhcpv4.option.server_identifier)
103| where message_type in ("offer", "ack") and Esql.transaction_id is not null and source.ip is not null
104| eval Esql.time_window = DATE_TRUNC(30 seconds, @timestamp)
105| stats
106    Esql.count_distinct_servers = COUNT_DISTINCT(source.ip),
107    Esql.values_server_ips = VALUES(source.ip),
108    Esql.values_server_identifiers = VALUES(server_identifier),
109    Esql.count_replies = COUNT(*)
110  by Esql.time_window, Esql.transaction_id
111| where Esql.count_distinct_servers >= 2
112| keep Esql.transaction_id, Esql.time_window, Esql.count_distinct_servers, Esql.values_server_ips, Esql.values_server_identifiers, Esql.count_replies
113'''
114
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1557"
120name = "Adversary-in-the-Middle"
121reference = "https://attack.mitre.org/techniques/T1557/"
122[[rule.threat.technique.subtechnique]]
123id = "T1557.003"
124name = "DHCP Spoofing"
125reference = "https://attack.mitre.org/techniques/T1557/003/"
126
127
128[rule.threat.tactic]
129id = "TA0006"
130name = "Credential Access"
131reference = "https://attack.mitre.org/tactics/TA0006/"
132
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135[[rule.threat.technique]]
136id = "T1203"
137name = "Exploitation for Client Execution"
138reference = "https://attack.mitre.org/techniques/T1203/"
139
140
141[rule.threat.tactic]
142id = "TA0002"
143name = "Execution"
144reference = "https://attack.mitre.org/tactics/TA0002/"