
Summary
This detection rule identifies the installation of Callout DLLs via specific registry keys associated with the DHCP server, namely 'CalloutDlls' and 'CalloutEnabled'. These parameters allow for the execution of code within the context of the DHCP server process, which could potentially lead to unauthorized access or code execution. Upon detecting changes to these registry keys, the rule flags the event for further investigation, given the high risk associated with such modifications. Restarting the DHCP service may be required for the changes to take effect, thus, monitoring these registry entries is crucial for identifying potential vulnerabilities or exploitation attempts related to DHCP server configurations.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
Created: 2017-05-15