SigmaHQ/rules/windows/builtin/win_susp_dhcp_config.yml

title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: experimental
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
date: 2017/05/15
author: Dimitrios Slamaris
tags:
    - attack.defense_evasion
    - attack.t1073          # an old one
    - attack.t1574.002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 1033
        Source: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: critical
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: DHCP Server Loaded the CallOut DLL`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40`
1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 2) correct typo in dns server rule 2017-05-15 18:58:31 +00:00			`status: experimental`
			`description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded`
Change "reference" to "references" to match new schema 2018-01-27 23:12:19 +00:00			`references:`
1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 2) correct typo in dns server rule 2017-05-15 18:58:31 +00:00			`- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html`
			`- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx`
			`- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx`
			`date: 2017/05/15`
			`author: Dimitrios Slamaris`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.defense_evasion`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1073 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1574.002`
1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 2) correct typo in dns server rule 2017-05-15 18:58:31 +00:00			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
Fixed parse errors 2017-08-02 20:49:15 +00:00			`selection:`
			`EventID: 1033`
Add correct Source to detection to avoid FP 2020-03-24 18:49:24 +00:00			`Source: Microsoft-Windows-DHCP-Server`
Fixed parse errors 2017-08-02 20:49:15 +00:00			`condition: selection`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`falsepositives:`
1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 2) correct typo in dns server rule 2017-05-15 18:58:31 +00:00			`- Unknown`
			`level: critical`