It can be useful to view DHCP lease information on an endpoint. If the LeaseLength, RouterIPAddress, SSID, or other values are not as expected, it could potentially indicate a rogue DHCP server on the network, or just misconfiguration.
Either way, the information provided by this artifact can be used to help defenders find unexpected DHCP lease configuration.
name: MacOS.Network.DHCP
description: |
It can be useful to view DHCP lease information on an endpoint. If the `LeaseLength`, `RouterIPAddress`, `SSID`, or other values are not as expected, it could potentially indicate a rogue DHCP server on the network, or just misconfiguration.
Either way, the information provided by this artifact can be used to help defenders find unexpected DHCP lease configuration.
reference:
- https://attack.mitre.org/techniques/T1557/003/
type: CLIENT
author: Wes Lambert - @therealwlambert|@weslambert@infosec.exchange
parameters:
- name: LeaseGlob
default: /private/var/db/dhcpclient/leases/*.plist
- name: UploadFiles
default:
type: bool
precondition:
SELECT OS From info() where OS = 'darwin'
sources:
- query: |
LET LeaseList = SELECT Mtime, OSPath
FROM glob(globs=split(string=LeaseGlob, sep=","))
SELECT * FROM foreach(row=LeaseList,
query={
SELECT Mtime,
OSPath,
regex_replace(re='''.plist''', replace='', source=basename(path=OSPath)) AS Interface,
RouterIPAddress,
SSID,
ClientIdentifier AS _ClientIdentifier,
IPAddress,
LeaseLength,
LeaseStartDate,
PacketData AS _PacketData,
RouterHardwareAddress AS _RouterHardwareAddress,
OSPath AS _FullPath
FROM plist(file=OSPath)})
- name: Upload
query: |
-- if configured upload DHCP lease files
SELECT * FROM if(condition=UploadFiles,
then={
SELECT
upload(file=OSPath) as DHCPLeaseFile
FROM LeaseList
})