AN1291: Analytic 1291

Detects rogue DHCP activity by monitoring syslog for dhclient messages assigning unauthorized DNS/gateway values. Packet capture or IDS can detect multiple competing DHCP OFFERs from non-authorized servers.

EnterpriseAN1291AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because rogue DHCP can silently change where Linux systems send DNS queries or default network traffic. For leaders, the key issue is not the ATT&CK tactic label, which is not supplied here, but whether the organization can prove that unauthorized network configuration changes would be noticed before they disrupt operations or enable traffic redirection.

Executive priority

Prioritize this where Linux systems depend on DHCP for business-critical networks, shared infrastructure, or operational environments. Security leaders should ask whether approved DHCP servers, DNS resolvers, and gateways are documented; whether SOC teams receive Linux syslog and network sensor evidence; and whether incident responders have a playbook to distinguish misconfiguration from unauthorized DHCP activity.

Technical view

The supplied analytic is Linux-focused and centers on dhclient messages in syslog that show DNS or gateway assignments outside authorized values. It also notes that packet capture or IDS can identify multiple competing DHCP OFFERs from non-authorized servers. SOC and detection teams should validate collection from Linux hosts using DHCP, define approved DNS/gateway values per network segment, and correlate host-side dhclient events with network evidence when available.

Likely telemetry

Linux syslog containing dhclient messages
Assigned DNS server values observed on Linux hosts
Assigned default gateway values observed on Linux hosts
Packet capture evidence of DHCP OFFER traffic
IDS alerts or logs showing multiple or unauthorized DHCP OFFERs

Detection direction

Baseline authorized DNS and gateway assignments by subnet or network segment before alerting.
Alert on dhclient-assigned DNS or gateway values that are not in the approved inventory.
Use packet capture or IDS to confirm whether multiple DHCP OFFERs are present and whether the source is authorized.
Tune for legitimate network changes, lab environments, VPNs, temporary maintenance, and DHCP failover designs to reduce false positives.
Validate that Linux syslog ingestion includes dhclient messages; absence of this telemetry is a material blind spot.

Mitigation priorities

Maintain an authoritative inventory of approved DHCP servers, DNS resolvers, and default gateways by segment.
Ensure Linux hosts that rely on DHCP forward relevant syslog to central monitoring.
Deploy or validate network monitoring capable of observing DHCP OFFER traffic where feasible.
Create an incident response procedure for unauthorized DHCP findings, including network owner validation and containment coordination.
Review network control options that limit unauthorized DHCP services, prioritizing critical segments first.

Analyst notes and limits

ATT&CK provides this as a detection analytic, not as a full technique description. The practical value is in validating whether host-side DHCP configuration changes and network-side DHCP competition are observable and tied to an approved network baseline.

No tactics, relationships, mitigations, or formal detection logic were supplied. This take is limited to the official description and external reference for AN1291. Local network architecture, DHCP design, Linux logging configuration, and approved DNS/gateway inventories are required to operationalize it.

Official MITRE ATT&CK definition

Analytic 1291

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: d05f9b4754387ea4...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`d05f9b475438…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1291
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use