T1557.002

ARP Cache Poisoning

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).

Microsoft Sentinel / Defender

kusto

let ARPPoisoningTools = dynamic(["arpspoof", "ettercap", "bettercap", "nemesis", "arp-sk", "arpflood", "yersinia", "cain"]);
let ScapyARPPatterns = dynamic(["ARP(", "arp_poison", "arp-poison", "sendp(", "Ether(dst", "scapy"]);
// Known ARP poisoning tool execution
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ARPPoisoningTools)
    or ProcessCommandLine has_any (ARPPoisoningTools)
| extend DetectionType = "Known ARP Poisoning Tool";
// Python scapy-based ARP packet injection
let ScapyARP = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python.exe", "python3.exe", "python", "python3")
| where ProcessCommandLine has_any (ScapyARPPatterns)
| extend DetectionType = "Python Scapy ARP Manipulation";
// Static ARP entry manipulation via arp.exe (Windows)
let ARPStaticEntry = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "arp.exe"
| where ProcessCommandLine has_any ("-s ", "/s ")
| extend DetectionType = "ARP Static Entry Modification";
// IP forwarding enablement via netsh (Windows MITM prerequisite)
let IPForwardingNetsh = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "forwarding"
    and ProcessCommandLine has_any ("enable", "enabled")
| extend DetectionType = "IP Forwarding Enabled via Netsh";
// IP forwarding enablement via sysctl (Linux MITM prerequisite)
let LinuxIPForward = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sysctl", "bash", "sh", "zsh", "tee")
| where ProcessCommandLine has "ip_forward"
    and (ProcessCommandLine has "=1" or ProcessCommandLine has "= 1")
| extend DetectionType = "Linux IP Forwarding Enabled";
union ToolExecution, ScapyARP, ARPStaticEntry, IPForwardingNetsh, LinuxIPForward
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Network administrators using arp.exe -s to configure static ARP entries as a legitimate defense against ARP poisoning or to maintain persistent MAC-to-IP mappings for critical infrastructure devices such as printers and servers
Authorized penetration testers or red teams executing ettercap, bettercap, or arpspoof during sanctioned network security assessments — always verify against active change management or pen test engagement tickets covering the source device and network segment
Multi-homed Linux servers, container orchestration nodes (Kubernetes, Docker Swarm), and VPN gateway hosts that legitimately require ip_forward=1 for packet routing and NAT functionality
Python network automation engineers or security researchers using scapy for legitimate packet crafting, NIDS signature testing, or network protocol development in lab environments
Network monitoring solutions (arpwatch, XArp, commercial NAC products) that use ARP-related binary names or scapy internally for passive ARP anomaly detection without injecting forged replies

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval process=lower(coalesce(Image, exe, process_name, ""))
| eval cmdline=lower(coalesce(CommandLine, cmdline, command, ""))
| eval user=coalesce(User, uid, acct, "unknown")
| eval src_host=coalesce(host, hostname, "unknown")
| eval detection_type=case(
    match(process, "(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain)"), "known_arp_tool",
    match(cmdline, "(arpspoof|ettercap|bettercap|nemesis|arp-sk|yersinia)") AND NOT match(process, "(grep|find|cat|less|more|strings)"), "arp_tool_in_cmdline",
    match(process, "(python|python3)") AND match(cmdline, "(arp\(|sendp\(|arp_poison|arp-poison|from scapy|import scapy)"), "python_scapy_arp",
    match(process, "arp\.exe") AND match(cmdline, "(-s|/s)\s"), "arp_static_entry",
    match(cmdline, "(net\.ipv4\.ip_forward|ip_forward)") AND match(cmdline, "(=1|= 1)"), "linux_ip_forward_enabled",
    match(process, "netsh\.exe") AND match(cmdline, "forwarding") AND match(cmdline, "enable"), "windows_ip_forward_enabled",
    true(), null()
  )
| where isnotnull(detection_type)
| eval parent_process=coalesce(ParentImage, parent_image, pprocess, "")
| eval parent_cmdline=coalesce(ParentCommandLine, parent_cmdline, "")
| table _time, src_host, user, process, cmdline, parent_process, parent_cmdline, detection_type
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Linux: Syslog Linux: Auditd Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure syslog

False Positives

Network administrators using arp.exe -s for static ARP entries on critical infrastructure devices
Authorized penetration testers running ettercap, bettercap, or arpspoof during sanctioned security assessments — verify against active engagement tickets
Linux routing infrastructure (Kubernetes nodes, VPN gateways, container hosts) with legitimate ip_forward=1 configuration — build allowlists for known router hostnames
Python network automation and security research scripts using scapy for packet crafting and protocol testing in development environments
Network monitoring tools using ARP-related tooling passively — filter on tool command-line arguments indicating passive listen mode vs. active poisoning

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS src_ip,
  username AS user,
  "process" AS process_name,
  "cmdline" AS command_line,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  CASE
    WHEN LOWER("process") SIMILAR TO '%(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain)%'
      THEN 'known_arp_tool'
    WHEN LOWER("process") SIMILAR TO '%(python|python3)%'
         AND LOWER("cmdline") SIMILAR TO '%(arp(|arp_poison|arp-poison|sendp(|from scapy|import scapy)%'
      THEN 'python_scapy_arp'
    WHEN LOWER("process") SIMILAR TO '%arp.exe%'
         AND LOWER("cmdline") SIMILAR TO '%( -s | /s )%'
      THEN 'arp_static_entry'
    WHEN LOWER("process") SIMILAR TO '%netsh.exe%'
         AND LOWER("cmdline") SIMILAR TO '%forwarding%'
         AND LOWER("cmdline") SIMILAR TO '%enable%'
      THEN 'windows_ip_forwarding_enabled'
    WHEN LOWER("cmdline") SIMILAR TO '%ip_forward%'
         AND (LOWER("cmdline") SIMILAR TO '%=1%' OR LOWER("cmdline") SIMILAR TO '%= 1%')
      THEN 'linux_ip_forwarding_enabled'
    ELSE 'unknown'
  END AS detection_type
FROM events
WHERE
  (
    LOGSOURCETYPEID IN (12, 29, 214, 352, 433)
    OR CATEGORYNAME(category) IN ('Operating System', 'Authentication', 'Host Definition')
  )
  AND
  (
    LOWER("process") SIMILAR TO '%(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain)%'
    OR
    (
      LOWER("process") SIMILAR TO '%(python|python3)%'
      AND LOWER("cmdline") SIMILAR TO '%(arp(|arp_poison|sendp(|from scapy|import scapy)%'
    )
    OR
    (
      LOWER("process") SIMILAR TO '%arp.exe%'
      AND LOWER("cmdline") SIMILAR TO '%( -s | /s )%'
    )
    OR
    (
      LOWER("process") SIMILAR TO '%netsh.exe%'
      AND LOWER("cmdline") SIMILAR TO '%forwarding%'
      AND LOWER("cmdline") SIMILAR TO '%enable%'
    )
    OR
    (
      LOWER("cmdline") SIMILAR TO '%ip_forward%'
      AND (LOWER("cmdline") SIMILAR TO '%=1%' OR LOWER("cmdline") SIMILAR TO '%= 1%')
    )
  )
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (WinCollect/WEF) Sysmon via WinCollect Linux auditd via syslog DSM: Microsoft Windows Security Event Log DSM: Linux OS

Required Tables

events

False Positives

Authorized internal penetration testing teams running ettercap or bettercap during scheduled assessments — correlate with change management tickets.
Network engineering teams enabling IP forwarding on Linux-based routers, firewalls, or VPN concentrators as part of planned infrastructure changes.
Security operations running Scapy-based network diagnostic or packet crafting tools during incident response investigations on isolated segments.

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*windows/security* OR _sourceCategory=*linux/secure* OR _sourceCategory=*linux/audit* OR _sourceCategory=*endpoint*)
| where _raw matches /(?i)(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain|ip_forward|arp\.exe|netsh|scapy|sendp)/
| parse regex "(?i)(?:Image|process_name|exe)(?:>|=|\")\s*(?P<process>[^\s<\"]+)" nodrop
| parse regex "(?i)(?:CommandLine|cmdline|command)(?:>|=|\")\s*(?P<cmdline>[^<\"]{1,512})" nodrop
| parse regex "(?i)(?:User|uid|acct)(?:>|=|\")\s*(?P<user>[^<\"\s]+)" nodrop
| parse regex "(?i)(?:ParentImage|parent_image)(?:>|=|\")\s*(?P<parent_process>[^<\"]+)" nodrop
| if(isNull(process), "", toLowerCase(process)) as process
| if(isNull(cmdline), "", toLowerCase(cmdline)) as cmdline
| if(isNull(user), "unknown", user) as user
| if(isNull(parent_process), "", toLowerCase(parent_process)) as parent_process
| where process matches /(?i).*(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain).*/ OR
  (process matches /(?i).*python[3]?.*/ AND cmdline matches /(?i).*(arp\(|arp_poison|arp-poison|sendp\(|from scapy|import scapy).*/) OR
  (process matches /(?i).*arp\.exe.*/ AND cmdline matches /(?i).*(-s|/s)\s+\d{1,3}\..*/) OR
  (process matches /(?i).*netsh\.exe.*/ AND cmdline matches /(?i).*forwarding.*/ AND cmdline matches /(?i).*enable.*/) OR
  (cmdline matches /.*ip_forward.*/ AND cmdline matches /.*(=1|= 1).*/)
| eval detection_type = if(process matches /(?i).*(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain).*/, "known_arp_tool",
    if(process matches /(?i).*python[3]?.*/ AND cmdline matches /(?i).*(arp\(|arp_poison|sendp\(|from scapy|import scapy).*/, "python_scapy_arp",
    if(process matches /(?i).*arp\.exe.*/ AND cmdline matches /(-s|/s)\s/, "arp_static_entry",
    if(process matches /(?i).*netsh\.exe.*/ AND cmdline matches /forwarding/ AND cmdline matches /enable/, "windows_ip_forward_enabled",
    if(cmdline matches /ip_forward/ AND cmdline matches /(=1|= 1)/, "linux_ip_forward_enabled", "unclassified")))))
| where detection_type != "unclassified"
| count by _messageTime, _sourceHost, user, process, cmdline, parent_process, detection_type
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sumo Logic Installed Collector (Linux) Sysmon for Windows via Sumo Logic source Linux auditd/syslog via Sumo Logic source Sumo Logic Cloud SIEM Enterprise (normalized)

Required Tables

_sourceCategory=*windows/sysmon* _sourceCategory=*windows/security* _sourceCategory=*linux/secure* _sourceCategory=*linux/audit*

False Positives

Red team or penetration testers using ettercap, bettercap, or arpspoof during authorized assessments within a defined change window — validate against approved testing schedule.
Network administrators creating static ARP entries via arp.exe -s as a defensive measure to protect gateway or DNS server MAC bindings from spoofing.
DevOps or platform engineers enabling ip_forward on container hosts (Docker, Kubernetes nodes) or Linux-based network appliances during infrastructure provisioning.

Google Chronicle / SecOps

yaral

rule T1557_002_ARP_Cache_Poisoning {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects ARP cache poisoning activity via known tool execution, Python Scapy ARP manipulation, arp.exe static entry modification, and IP forwarding enablement as a MITM prerequisite."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1557.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1557/002/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|arpflood|yersinia|cain)`) or
      re.regex($e.target.process.command_line, `(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|yersinia|cain)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(python3?\.exe|/python3?$)`) and
        re.regex($e.target.process.command_line, `(?i)(ARP\(|arp_poison|arp\-poison|sendp\(|Ether\(dst|from scapy|import scapy)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)arp\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(\s\-s\s|\s/s\s|^\-s\s|^/s\s)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)forwarding`) and
        re.regex($e.target.process.command_line, `(?i)enable`)
      ) or
      (
        re.regex($e.target.process.command_line, `(?i)ip_forward`) and
        re.regex($e.target.process.command_line, `=\s*1`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Event Forwarding ingested via Chronicle Linux auditd/syslog ingested via Chronicle CrowdStrike Falcon via Chronicle integration Carbon Black via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH)

False Positives

Authorized penetration testing teams using bettercap or ettercap during scheduled engagements — correlate alert time with approved penetration testing change tickets.
Security tooling pipelines running Scapy-based automated network tests or packet validation scripts in CI/CD environments with non-production network access.
Linux infrastructure automation (Ansible, Terraform provisioners) enabling ip_forward on router or NAT gateway nodes as part of validated infrastructure-as-code runs.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|arpflood|yersinia|cain|\/arp\.exe$|\\arp\.exe$|\/netsh\.exe$|\\netsh\.exe$|python3?(\.exe)?$)/
    OR CommandLine = /(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|yersinia|ARP\(|arp_poison|sendp\(|from scapy|import scapy|ip_forward[^a-z])/
| eval is_arp_tool = if(ImageFileName = /(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|arpflood|yersinia|cain)/, 1, 0)
| eval is_scapy = if(ImageFileName = /(?i)python3?(\.exe)?$/ AND CommandLine = /(?i)(ARP\(|arp_poison|arp\-poison|sendp\(|Ether\(dst|from scapy|import scapy)/, 1, 0)
| eval is_arp_static = if(ImageFileName = /(?i)(\\|\/)arp\.exe$/ AND CommandLine = /(?i)(\s\-s\s|\s\/s\s)/, 1, 0)
| eval is_win_ipfwd = if(ImageFileName = /(?i)(\\|\/)netsh\.exe$/ AND CommandLine = /(?i)forwarding/ AND CommandLine = /(?i)enabl/, 1, 0)
| eval is_linux_ipfwd = if(CommandLine = /(?i)ip_forward/ AND CommandLine = /=\s*1/, 1, 0)
| eval detection_type = case(
    is_arp_tool = 1, "known_arp_tool",
    is_scapy = 1, "python_scapy_arp",
    is_arp_static = 1, "arp_static_entry",
    is_win_ipfwd = 1, "windows_ip_forward_enabled",
    is_linux_ipfwd = 1, "linux_ip_forward_enabled",
    true(), null()
  )
| where isNotNull(detection_type)
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_type, aid])
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2) CrowdStrike Falcon LogScale Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Red team operators using Falcon-excluded whitelisted tools on sanctioned assessment targets — confirm against Falcon exclusion policies and change management records.
Network security researchers running Scapy on dedicated analysis workstations with CrowdStrike sensor in monitoring-only mode during approved research windows.
Cloud infrastructure automation enabling IP forwarding on Falcon-protected Kubernetes worker nodes or Linux-based NAT gateways during planned provisioning cycles.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB Relay T1557.003DHCP Spoofing T1557.004Evil Twin

ARP Cache Poisoning

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections