DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Sigma rule (View on GitHub)
1title: DHCP Server Loaded the CallOut DLL
2id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
3status: test
4description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
5references:
6 - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
7 - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
8 - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
9author: Dimitrios Slamaris
10date: 2017/05/15
11modified: 2022/12/25
12tags:
13 - attack.defense_evasion
14 - attack.t1574.002
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 EventID: 1033
21 Provider_Name: Microsoft-Windows-DHCP-Server
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
The new (as of 10.05.2017) version of mimilib (a DLL with a subset of mimikatz features) supports the DNS serverlevel plugin API and the DHCP server Callout plugin API. In this post I will quickly cover how to inject the DLL into DHCP service and how to detect it using Windows Eventlogs and Sysmon.
Read More -
Event ID 1032 — DHCP General Availability Article 02/02/2010 Applies To: Windows Server 2008 General availability of the Dynamic Host Configuration Protocol (DHCP) server refers to its ability to s...
Read More -
Microsoft DHCP Server maintains an internal table of events that, upon their occurrence in DHCP protocol processing, trigger third-party DLL function calls.
Read More
Related rules
- DHCP Server Error Failed Loading the CallOut DLL
- Suspicious GUP Usage
- Fax Service DLL Search Order Hijack
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- DNS Server Error Failed Loading the ServerLevelPluginDLL