← Back to Explore
sigmahighHunting
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Detection Query
selection:
EventID: 1033
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
Author
Dimitrios Slamaris
Created
2017-05-15
Data Sources
windowssystem
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001
Raw Content
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID: 1033
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high