Elastic Security Detection Rules

Multiple DHCP Servers Responding to the Same Transaction

Last updated 9 days ago on 2026-06-09
Created 9 days ago on 2026-06-09

About

Identifies two or more distinct DHCP servers sending an OFFER or ACK for the same transaction ID (xid) within a short window, indicating a rogue DHCP server racing the legitimate one to win the client's handshake. This is the rogue-DHCP / adversary-in-the-middle precondition (T1557.003) and is operating-system agnostic, since it keys only on server behavior observed on the wire. Winning the race lets an attacker intercept traffic via a hostile gateway/DNS, bypass a VPN (TunnelVision), or deliver a malformed response that exploits the client's DHCP parser for code execution.
Tags
Domain: NetworkDomain: EndpointUse Case: Threat DetectionUse Case: VulnerabilityUse Case: Network Security MonitoringTactic: Credential AccessTactic: ExecutionData Source: Network TrafficLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Adversary-in-the-Middle (T1557)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Exploitation for Client Execution (T1203)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

network_traffic(external, opens in a new tab or window)

Query
text code block:
from logs-network_traffic.dhcpv4-*, packetbeat-*
| eval
    message_type = TO_LOWER(COALESCE(network_traffic.dhcpv4.option.message_type, dhcpv4.option.message_type)),
    Esql.transaction_id = COALESCE(network_traffic.dhcpv4.transaction_id, dhcpv4.transaction_id),
    server_identifier = COALESCE(network_traffic.dhcpv4.option.server_identifier, dhcpv4.option.server_identifier)
| where message_type in ("offer", "ack") and Esql.transaction_id is not null and source.ip is not null
| eval Esql.time_window = DATE_TRUNC(30 seconds, @timestamp)
| stats
    Esql.count_distinct_servers = COUNT_DISTINCT(source.ip),
    Esql.values_server_ips = VALUES(source.ip),
    Esql.values_server_identifiers = VALUES(server_identifier),
    Esql.count_replies = COUNT(*)
  by Esql.time_window, Esql.transaction_id
| where Esql.count_distinct_servers >= 2
| keep Esql.transaction_id, Esql.time_window, Esql.count_distinct_servers, Esql.values_server_ips, Esql.values_server_identifiers, Esql.count_replies

Install detection rules in Elastic Security

Detect Multiple DHCP Servers Responding to the Same Transaction in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).