Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1574-hijack-execution-flow

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Windows DHCP server errors when loading CallOut DLLs that may indicate DLL hijacking attempts targeting DHCP services.

Strategy

This rule monitors Windows event logs where @evt.id is 1031, 1032, or 1034 from the Microsoft-Windows-DHCP-Server provider. These events indicate failures in the DHCP server’s CallOut DLL operations, which can occur when attackers attempt to hijack the execution flow by placing malicious DLLs in locations where the DHCP server expects to find legitimate CallOut DLLs. CallOut DLLs are third-party extensions that provide additional functionality to DHCP servers, making them attractive targets for persistence and privilege escalation attacks.

Triage and response

• Examine the specific DHCP server error details on {{host}} to identify which CallOut DLL failed to load and the associated error code.
• Verify the legitimacy of any recently added or modified DLL files in DHCP server directories and common DLL search paths.
• Review recent system changes including software installations, updates, or configuration modifications that could have affected DHCP CallOut DLL functionality.
• Check for unusual process executions or file modifications in DHCP-related directories prior to the error events.
• Determine if the DHCP server errors correlate with any legitimate maintenance activities or if they represent unauthorized modification attempts.