**Rogue DHCP Servers**
Dynamic Host Configuration Protocol (DHCP) assigns IP addresses and gateway/router information to devices automatically upon connection. Rogue DHCP servers are malicious or unauthorized DHCP servers that respond to requests faster than legitimate servers. The attacker can provide false default gateways (redirecting traffic), malicious DNS servers, or misconfigured subnet masks to disrupt visibility or facilitate further compromise. This is especially dangerous in open or poorly segmented networks.

Rogue DHCP Server
1. Attacker Analogy
Technical Summary:
The attacker impersonates a DHCP (Dynamic Host Configuration Protocol) server on a local network, racing the legitimate DHCP server to respond first. By issuing fake configurations (like a malicious default gateway or DNS server), the attacker reroutes victim traffic for surveillance, interference, or further compromise.

Narrative Analogy:
Imagine joining a team meeting, and as you sit down, someone hands you a printed schedule. But they’re not the real meeting organizer—just someone who snuck in early with fake materials. You follow their plan, not realizing you're being directed to the wrong conference room, or even a competitor's office. That's rogue DHCP in action.

2. Source of IOC (Telemetry Origin)
This indicator originates from EDR telemetry, packet capture sensors, or SIEM correlation of unexpected DHCP offer activity or misrouted traffic tied to endpoint configuration changes.

3. Triage Framework Declaration
Triage Category: Host-Based Triage

Standard Tools Used:

Windows Event Logs – Track DHCP client events (e.g., Event ID 1001 – DHCP Address Assignment).

EDR Telemetry – Review network configuration changes and outbound destination shifts.

File System / Registry Inspection – Check for unauthorized network adapter changes or persistence mechanisms.

Volatile Memory Capture – Identify active DHCP server processes or network tool execution in memory (e.g., dhcpd, npf.sys).

Softened Interpretation:
(You're starting from the workstation perspective, asking: “Why is this device getting the wrong network settings?” DHCP logs and EDR records help you spot the bait-and-switch.)

**4. OS Layer Mapping**
Primary OS Layer:

Layer 6 – Network Communication Context
The rogue DHCP server manipulates the network configuration at the host level, redirecting traffic by assigning falsified gateway or DNS entries.

Cross-Layer Interaction:

Layer 3 (Background Services): Attackers often set rogue DHCP as a background process.

Layer 2 (Startup/Persistence): If persistent, it may be configured to auto-launch with system startup.

Softened Interpretation:
(This is like someone editing your address book so that every time you try to mail a letter, it goes to the attacker instead. Your system has been quietly told to trust the wrong routing authority.)

**5. OSI Layer Mapping**
Layer 3 – Network Layer: Rogue DHCP offers control the IP address, default gateway, and subnet mask.

Layer 7 – Application Layer: DHCP server emulation or spoofing tools operate here (e.g., Yersinia, Ettercap, RogueDHCP).

Softened Interpretation:
(The attacker is tampering with your map and compass—changing how your system sees the network.)

**6. Attacker Behavior Interpretation**
Intent: Intercept or reroute traffic, enable man-in-the-middle attacks, or isolate systems.

Common Tools: Ettercap, Yersinia, Responder, or even simple PowerShell/Netsh scripts.

Trigger: Physical network access or a foothold on a compromised host with broadcast capabilities.

**7. Defender Action Summary**
Step 1: Identify rogue DHCP server via NetFlow analysis or Wireshark captures (look for multiple DHCP OFFERs).

Step 2: Confirm rogue system’s MAC/IP and physically trace or isolate the host.

Step 3: Use NAC (Network Access Control) or switch port security to restrict DHCP broadcasts to known sources.

Step 4: Reconfigure affected endpoints, flush DNS, and reset network interfaces.

Softened Interpretation:
(The defenders retrace the attacker’s forged schedule, rip it up, restore the original instructions, and then throw out the impersonator from the room.)

**8. Attacker Strategy Notes**
This is often a pivot tactic rather than an initial compromise.

Exploits trust in local network architecture—DHCP was never meant to verify who’s talking.

Rogue DHCP gives the attacker initial control over traffic flow, without triggering application or firewall alarms.

Works especially well in flat networks or environments without port security or NAC.

Often precedes DNS spoofing, man-in-the-middle, or credential harvesting attacks.

**9. Indicator Expansion & Event IDs**
Event ID 1001 (DHCP assigned IP address)

Multiple DHCP OFFERs in Wireshark

Suspicious gateway configurations (e.g., private IP as default gateway)

ARP anomalies or gateway not matching known network topology

**10. Softened Interpretation Summary**
This attack is a case of invisible redirection. The attacker doesn’t need malware or a zero-day exploit. They just lie convincingly and fast—faster than your legitimate DHCP server—and your system follows their lead, unaware it’s heading into enemy territory.

**11. Who’s Who – Object Role Clarification**
Object	Role
Compromised Host	May host rogue DHCP service or be targeted for redirection
Rogue DHCP Server	Attacker-controlled service answering DHCP DISCOVERs
Legitimate DHCP Server	Authorized infrastructure, being spoofed or ignored
Network Switch / VLAN	Allows broadcast; can be misconfigured to accept rogue DHCP
Default Gateway / DNS Server	Can be maliciously reassigned by attacker
Wireshark / EDR	Detection tools showing abnormal DHCP activity

CONCLUSION: # IOC 16 – Rogue DHCP Server (Unauthorized Configuration Injection)

This case study analyzes a rogue DHCP server scenario in which an attacker leverages a local foothold or physical access to intercept or redirect endpoint traffic by responding faster than the legitimate DHCP infrastructure. The attacker delivers falsified gateway, DNS, or subnet information, subverting routing behavior and enabling surveillance, traffic capture, or lateral movement within the network.

## Overview

DHCP (Dynamic Host Configuration Protocol) automates network configuration. In this attack, an unauthorized DHCP server impersonates a legitimate one, often responding first to broadcast DHCP DISCOVER requests. This allows the attacker to assign malicious settings (e.g., fake default gateway or DNS server) to nearby systems, rerouting traffic or isolating the target for further manipulation. These attacks are especially effective in flat or poorly segmented environments where switch-level protections are lacking.

## Key Concepts Covered

- The nature of DHCP trust and the risk of broadcast-based impersonation
- How rogue DHCP servers redirect traffic for surveillance or attack preparation
- Host-based telemetry for identifying configuration tampering
- Cross-layer forensic logic tracing background execution and persistence
- OSI layer involvement from Layer 3 routing redirection to Layer 7 spoofing tools

## Investigative Structure

This case uses the Host-Based IOC Triage Protocol to identify the rogue DHCP source and confirm its effects.

- **Telemetry Sources**:
  - EDR logs showing interface changes or unauthorized IP/gateway assignments
  - Windows Event ID 1001 (DHCP address assignment)
  - Wireshark detection of multiple DHCP OFFERs from unexpected sources

- **Host-Based Investigative Toolkit**:
  - **Windows Event Logs** – track assignment events and anomalies
  - **EDR Telemetry** – surface outbound traffic path changes and rogue services
  - **File System & Registry** – identify installed rogue DHCP tools or auto-start entries
  - **Volatile Memory Analysis** – detect `dhcpd`, `npf.sys`, or active spoofing utilities

- **Operating System Layers Involved**:
  - Layer 6: Network Communication – configuration redirection
  - Layer 3: Background Execution – rogue service persistence
  - Layer 2: Startup Infrastructure – autostart registration of DHCP tool

- **OSI Layers Affected**:
  - Layer 3: IP/gateway/DNS assignment
  - Layer 7: Rogue server emulation tools (Ettercap, Responder, Yersinia)

## Tools & Techniques Observed

- DHCP packet injection using tools like `Yersinia`, `Ettercap`, or `Responder`
- Malicious use of PowerShell or `netsh` to override gateway and DNS settings
- Memory-resident DHCP daemons or driver-level manipulation (e.g., `npf.sys`)
- Broadcast flooding to race legitimate DHCP servers

## Defender Response Framework

- Capture and inspect DHCP OFFER traffic using packet capture tools (e.g., Wireshark)
- Identify the MAC/IP of rogue DHCP responder via NetFlow or switch logs
- Disable unauthorized interfaces; isolate the rogue host from the network
- Enable port-based NAC or DHCP snooping to restrict broadcast privilege
- Flush affected system configurations and restore correct routing/gateway entries

## Strategic Takeaways

The rogue DHCP server is often used as a **positioning move**, not an end goal. By controlling gateway and DNS resolution, the attacker gains first-step influence over routing paths, sets up for man-in-the-middle attacks, and disables proper resolution of security controls. This is a low-skill, high-impact technique in networks that lack broadcast restrictions or endpoint telemetry correlation.

## Files

- `ioc16-rogue-dhcp-server.ipynb`: Full triage case study including attacker logic, OS and OSI layer analysis, and recommended defensive action

