Skip to content
Threat Feed
medium advisory

Unauthorized Asset Detection via DHCP Request Analysis

This analytic identifies potentially unauthorized devices attempting to connect to an organization's network by inspecting DHCP request packets and comparing MAC addresses against a list of known authorized devices.

This detection identifies unauthorized devices attempting to connect to the organization’s network by inspecting DHCP request packets. It achieves this by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. The detection uses the Network_Sessions data model shipped with Enterprise Security and leverages the Assets and Identity framework to populate the assets_by_str.csv file, which should contain a list of known authorized organizational assets, including their MAC addresses. This activity is significant as unauthorized devices can introduce security risks, potentially leading to data breaches or network disruptions.

Attack Chain

  1. An unauthorized device attempts to connect to the network.
  2. The device sends a DHCP request to obtain an IP address.
  3. The network monitoring system captures the DHCP request.
  4. The system extracts the MAC address from the DHCP request.
  5. The extracted MAC address is compared against the list of authorized MAC addresses in assets_by_str.csv.
  6. If the MAC address is not found in the authorized list, an alert is triggered.
  7. An analyst investigates the alert to determine if the device is truly unauthorized.

Impact

An unauthorized device successfully connecting to the network can lead to several negative consequences. This could include unauthorized access to sensitive data, the introduction of malware, or the disruption of network services. The risk is especially high if the unauthorized device is compromised or controlled by a malicious actor. The impact of such an event can range from minor data breaches to significant financial losses and reputational damage.

Recommendation

  • Deploy the Detect Unauthorized Assets by MAC Address analytic within Splunk Enterprise Security as described in the “how_to_implement” section above.
  • Ensure the Assets and Identity framework is properly configured and populated with authorized asset information, including MAC addresses, as described in the “how_to_implement” section.
  • Review and tune the detect_unauthorized_assets_by_mac_address_filter macro to minimize false positives, based on your organization’s environment and authorized device profiles.
  • Investigate alerts generated by this detection promptly to determine the nature and risk associated with any potentially unauthorized devices identified.
  • Adjust the finding score based on your organization’s risk appetite and the potential impact of unauthorized device access.

Detection coverage 2

Detect Unauthorized Assets by MAC Address (Sigma)

medium

Detects unauthorized devices attempting to connect to the network by comparing MAC addresses in DHCP requests against known authorized MAC addresses.

sigma tactics: initial_access techniques: T1588.002 sources: network_connection, windows

Detect Unauthorized Assets by MAC Address (Linux)

medium

Detects unauthorized devices attempting to connect to the network by comparing MAC addresses in DHCP requests against known authorized MAC addresses in Linux environment.

sigma tactics: initial_access techniques: T1588.002 sources: network_connection, linux

Detection queries are available on the platform. Get full rules →