This note documents detection patterns related to DHCP Activity within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| DHCP-Client | 50058 | Lease obtained | Critical | Strongest direct DHCP assignment evidence. |
| DHCP-Client | 50036 | Lease renewed | High | Confirms continued network presence. |
| DHCP-Client | 50024 | Interface initialization | High | Adapter prepared for DHCP negotiation. |
| DHCP-Client | 50010 | Address conflict / issue | Medium | Duplicate IP or abnormal network behavior. |
| DHCP-Client | 50062 | Lease expired | High | Lease ended or adapter disconnected. |
| System | 4201 | Network adapter connected | High | Link established before DHCP negotiation. |
| System | 4202 | Network adapter disconnected | High | Link dropped after lease activity. |
| Sysmon | 3 | Network connection | High | Activity following lease assignment. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| New lease shortly before attack | IP assigned before suspicious activity | Critical | Strong timeline anchor. |
| Lease on unknown subnet | Unexpected network presence | Critical | Travel, rogue AP, VPN, hotspot. |
| Rapid lease changes | Adapter switching / roaming | High | Wi-Fi movement or tethering. |
| Lease with public hotspot DHCP | Mobility evidence | High | Strong travel indicator. |
| Missing expected lease | Static IP / anti-forensics | Medium | Requires alternate artifacts. |
| DHCP immediately before VPN | Pre-tunnel local network evidence | High | Important in remote intrusion cases. |
Common Tools
| Tool | Usage |
|---|---|
| ipconfig /all | Live lease details |
| netsh interface ip show config | Interface lease inspection |
| Registry Explorer | Lease recovery from registry |
| Event Viewer | DHCP logs |
| EvtxECmd | DHCP event parsing |
| KAPE | DHCP artifact collection |
Relevant Artifacts
-
Event Log:
Applications and Services Logs → Microsoft → Windows → DHCP-Client → Operational
-
Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}
-
Important values:
DhcpIPAddressDhcpServerLeaseObtainedTimeLeaseTerminatesTimeSubnetMaskDefaultGateway
-
Additional:
- SRUM network usage
- NetworkList profiles
- WLAN logs
- DNS cache
- ARP cache
Registry Interpretation
| Registry Value | Meaning | Forensic Value | Notes |
|---|---|---|---|
| DhcpIPAddress | Assigned IP address | Critical | Core lease evidence |
| DhcpServer | DHCP server | Critical | Shows source of assignment |
| LeaseObtainedTime | Lease start | Critical | Strong timeline anchor |
| LeaseTerminatesTime | Lease expiry | High | Defines network session window |
| DefaultGateway | Routing context | High | Identifies local environment |
MITRE ATT&CK References
- T1016 System Network Configuration Discovery
- T1049 System Network Connections Discovery
- T1021 Remote Services
Decision Tree
-
Lease present?
- Registry
- DHCP event logs
-
Which interface?
- Wi-Fi
- Ethernet
- VPN
- USB tethering
-
Which subnet?
- Corporate
- Home
- Public
- Unknown
-
Timeline:
- Lease obtained
- Lease renewed
- Lease expired
-
Follow-up:
- DNS
- Browser
- Authentication
- Lateral movement
-
Scope:
- Single adapter
- Multiple interfaces
- Movement between networks
Example Detection Templates
KQL
Event
| where EventLog == "Microsoft-Windows-DHCP-Client/Operational"
| where EventID in (50058,50036,50024,50062)
| project TimeGenerated, Computer, EventID, RenderedDescription
EQL
any where event.code == "50058"
sequence by host.name with maxspan=10m
[ any where event.code == "50024" ]
[ any where event.code == "50058" ]
Sigma
title: DHCP Lease Obtained
id: dhcp-lease-obtained-01
status: experimental
description: Detects DHCP lease assignment events
author: Vergil
date: 2026-03-11
logsource:
product: windows
service: dhcp-client
detection:
selection:
EventID:
- 50058
condition: selection
fields:
- EventID
- Computer
falsepositives:
- Normal network join
level: low
tags:
- attack.discovery
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| DHCP logging | Keep DHCP Operational enabled | Critical | Primary visibility |
| Lease auditing | Review unusual subnet assignments | High | Detect rogue environments |
| Unknown subnet alerting | Alert on external DHCP ranges | Critical | Strong movement indicator |
| Adapter monitoring | Track interface changes | High | Important in mobile systems |
Investigator Notes
-
Registry lease values often survive longer than event retention.
-
DHCP timestamps frequently anchor full incident timelines.
-
Lease evidence becomes strongest when chained with WLAN + DNS + Security logon.
-
Static IP systems may have no DHCP evidence.
-
Always correlate lease with adapter GUID.