Detectionhightest

DHCP Server Loaded the CallOut DLL

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Dimitrios SlamarisCreated Mon May 15Updated Sun Dec 2513fc89a9-971e-4ca6-b9dc-aa53a445bf40windows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        EventID: 1033
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

13fc89a9-971e-4ca6-b9dc-aa53a445bf40

Status

test

Level

high

Type

Detection

Created

Mon May 15

Modified

Sun Dec 25

Author

Path

rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001