Windows DHCP server loaded CallOut DLL

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1574-hijack-execution-flow

Goal

Detects when a DHCP server loads a CallOut DLL, which can be used by attackers to execute malicious code with SYSTEM privileges.

Strategy

This rule monitors Windows Event ID 1033 from the Microsoft-Windows-DHCP-Server provider. The event indicates that a DHCP server has loaded a CallOut DLL, which is a mechanism that allows for custom extension of DHCP server functionality. Loading a CallOut DLL is a rare occurrence in most environments and can be abused by attackers to execute malicious code with elevated privileges as the DHCP service typically runs with SYSTEM privileges. This technique allows an attacker to hijack the execution flow by inserting a malicious DLL that gets loaded by a legitimate process.

Triage & Response

  • Verify if the loaded DLL is expected in your environment and approved by the administrator.
  • Analyze the CallOut DLL file for suspicious characteristics including digital signatures, file creation date, and file location.
  • Review recent changes to DHCP server configuration that may have enabled the CallOut DLL functionality.
  • Check for any related suspicious process activity around the time the DLL was loaded.
PREVIEWING: guacbot/translation-pipeline