Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1292: Analytic 1292

Detects DHCP spoofing by monitoring unified logs for unexpected DHCP ACK/OFFER parameters and correlating with packet captures for multiple DHCP servers. Behavioral emphasis is on inconsistent DNS and gateway assignments that redirect traffic.

EnterpriseAN1292AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because DHCP spoofing can quietly redirect macOS users’ network traffic by giving them unexpected DNS or gateway settings. For leaders, the decision value is not just “can we detect DHCP spoofing,” but whether the organization has enough endpoint log and network packet evidence to prove when a device was assigned suspicious network configuration and whether traffic may have been redirected.

Executive priority

Prioritize this where macOS systems operate on shared, branch, campus, or other networks where unauthorized DHCP responses could affect user connectivity, monitoring visibility, or incident scope decisions. The key business question is whether security and network teams can validate trusted DHCP behavior and produce evidence for incident response, audit, and operational resilience when DNS or gateway assignments change unexpectedly.

Technical view

The supplied ATT&CK analytic is macOS-focused and describes monitoring unified logs for unexpected DHCP ACK/OFFER parameters, then correlating with packet captures to identify multiple DHCP servers. SOC and IR teams should validate whether macOS unified log collection includes DHCP lease/configuration events and whether packet capture or equivalent network evidence is available at locations where macOS endpoints obtain addresses. Since no official detection logic is provided, teams should build local baselines for expected DHCP servers, DNS resolvers, gateways, and lease behavior, then investigate deviations that indicate inconsistent DNS or gateway assignments.

Likely telemetry

  • macOS unified logs related to DHCP lease negotiation and network configuration changes
  • DHCP ACK and OFFER details, including assigned DNS servers and default gateway values
  • Packet capture or network sensor records showing DHCP server responses
  • Inventory or network source-of-truth for authorized DHCP servers, DNS resolvers, and gateways
  • Endpoint network configuration state at or near the time of suspected lease assignment

Detection direction

  • Validate that macOS unified logs are centrally collected with enough retention to support incident timelines.
  • Correlate endpoint-observed DHCP parameters with packet captures or network telemetry to distinguish endpoint misconfiguration from multiple DHCP server responses.
  • Baseline authorized DHCP servers, DNS servers, and gateways per network segment; alert on inconsistent or unexpected assignments rather than on DHCP activity alone.
  • Tune for legitimate network changes such as office moves, VPN transitions, lab networks, or planned DHCP/DNS migrations to reduce false positives.
  • Account for blind spots where packet capture is absent, endpoint logs are not forwarded, or network segments lack an authoritative list of approved DHCP infrastructure.

Mitigation priorities

  • Maintain an authoritative inventory of approved DHCP servers, DNS resolvers, and gateways by network segment.
  • Ensure macOS unified logs and relevant network telemetry are retained and accessible to SOC and IR workflows.
  • Coordinate security and network operations processes so unexpected DHCP/DNS/gateway assignments can be quickly validated.
  • Use local environment baselines to prioritize investigation of assignments that could redirect traffic through untrusted gateways or DNS infrastructure.
  • Document evidence requirements for incidents involving suspected traffic redirection, including endpoint logs and packet-level confirmation.
Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied fields identify macOS as the platform and describe the analytic’s intent, but provide no tactic, relationship context, or official detection query. Treat this as guidance for validating telemetry and analytic design rather than as a ready-to-run rule.

No relationship context, tactic mapping, or official detection logic was supplied. The assessment cannot infer exploitation prevalence, adversary attribution, non-macOS applicability, or guaranteed detection coverage. Local network baselines and telemetry availability determine practical usefulness.

Official MITRE ATT&CK definition

Analytic 1292

Detects DHCP spoofing by monitoring unified logs for unexpected DHCP ACK/OFFER parameters and correlating with packet captures for multiple DHCP servers. Behavioral emphasis is on inconsistent DNS and gateway assignments that redirect traffic.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9a58db6607bed80d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9a58db6607be…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1292
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use