AN1290: Analytic 1290
Detects rogue DHCP server activity and anomalous DHCP OFFER/ACK messages assigning unexpected DNS or gateway values. Detection correlates DHCP server role changes, DHCP exhaustion warnings, and sudden network configuration changes across endpoints.
Analyst context for executives and security teams
Analytic 1290 is about finding signs that DHCP behavior is being abused or has drifted from expected network control: rogue DHCP servers, unusual DHCP OFFER/ACK responses, unexpected DNS or gateway assignments, DHCP exhaustion warnings, and endpoint network configuration changes. For leaders, the value is resilience: if DHCP is manipulated, users and systems can be redirected, disconnected, or forced onto untrusted network paths, making this a material availability and trust issue even before any confirmed compromise is established.
Executive priority
Prioritize this analytic where Windows endpoints depend on DHCP for normal operations and where DNS or gateway changes could disrupt business services, investigations, or compliance evidence. The key management question is whether the organization can prove which DHCP servers are authorized, detect unexpected DHCP role or configuration changes, and correlate endpoint network changes quickly enough to support incident response decisions.
Technical view
For SOC, detection engineering, and IR teams, validate whether DHCP server role changes, DHCP exhaustion warnings, DHCP OFFER/ACK activity, and endpoint DNS/gateway configuration changes can be collected and correlated. Because the ATT&CK object does not specify tactics or relationships, implementation should be framed as network infrastructure and Windows endpoint anomaly detection rather than mapped to a specific adversary phase. Tune around known network changes, authorized DHCP servers, planned subnet migrations, VPN behavior, and legitimate DNS or gateway updates.
Likely telemetry
- DHCP server logs and events showing OFFER/ACK activity
- Records of authorized DHCP server roles and role changes
- DHCP exhaustion warning events or lease pool utilization data
- Windows endpoint network configuration changes
- Endpoint-assigned DNS server and default gateway values
Detection direction
- Baseline authorized DHCP servers, expected DNS servers, and expected gateway values by network segment.
- Alert on DHCP OFFER/ACK messages or lease assignments that provide unexpected DNS or gateway settings.
- Correlate DHCP exhaustion warnings with sudden endpoint network configuration changes to reduce isolated-event noise.
- Validate whether Windows endpoint telemetry captures DNS and gateway changes reliably across wired, wireless, VPN, and remote-user scenarios.
- Account for planned network maintenance, subnet changes, and infrastructure migrations to limit false positives.
Mitigation priorities
- Maintain an authoritative inventory of approved DHCP servers and expected DNS/gateway configurations.
- Harden change control around DHCP roles and network configuration changes so alerts can be compared against approved activity.
- Ensure SOC and IR playbooks include validation steps for unexpected DHCP, DNS, and gateway assignments.
- Improve telemetry coverage before relying on the analytic: DHCP logs, endpoint configuration events, and network configuration baselines are the deciding inputs.
- Use segmentation and network administration controls appropriate to the environment to limit where unauthorized DHCP behavior can affect critical systems.
Analyst notes and limits
The supplied object is a detection analytic for Windows with no tactic, technique, or relationship context provided. Its defensive value is strongest when combined with local network baselines and asset ownership data, because the analytic depends on knowing which DHCP servers and DNS/gateway values are expected.
Official detection logic is not provided, and no ATT&CK relationships are supplied. This take therefore avoids claims about adversary attribution, active exploitation, specific ATT&CK tactics, or guaranteed detection outcomes. Local telemetry availability and network design determine practical coverage.
Analytic 1290
Detects rogue DHCP server activity and anomalous DHCP OFFER/ACK messages assigning unexpected DNS or gateway values. Detection correlates DHCP server role changes, DHCP exhaustion warnings, and sudden network configuration changes across endpoints.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3988f83137df… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1290Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.