DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Sigma rule (View on GitHub)
1title: DHCP Server Loaded the CallOut DLL
2id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
3status: test
4description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
5references:
6 - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
7 - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
8 - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
9author: Dimitrios Slamaris
10date: 2017-05-15
11modified: 2022-12-25
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.t1574.001
17logsource:
18 product: windows
19 service: system
20detection:
21 selection:
22 EventID: 1033
23 Provider_Name: Microsoft-Windows-DHCP-Server
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
The new (as of 10.05.2017) version of mimilib (a DLL with a subset of mimikatz features) supports the DNS serverlevel plugin API and the DHCP server Callout plugin API. In this post I will quickly cover how to inject the DLL into DHCP service and how to detect it using Windows Eventlogs and Sysmon.
Read More -
Applies To: Windows Server 2008 General availability of the Dynamic Host Configuration Protocol (DHCP) server refers to its ability to service clients. General availability depends on: Proper autho...
Read More -
Microsoft DHCP Server maintains an internal table of events that, upon their occurrence in DHCP protocol processing, trigger third-party DLL function calls.
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL