Which SIEM platforms have a T1557.002 detection rule?

df00tech provides T1557.002 (ARP Cache Poisoning) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect ARP Cache Poisoning (T1557.002)?

Detecting ARP Cache Poisoning requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1557.002 detection?

The T1557.002 detection is rated high severity with medium confidence.

What are common false positives for T1557.002?

Common false positives for T1557.002 include: Network administrators using arp.exe -s to configure static ARP entries as a legitimate defense against ARP poisoning or to maintain persistent MAC-to-IP mappings for critical infrastructure devices such as printers and servers; Authorized penetration testers or red teams executing ettercap, bettercap, or arpspoof during sanctioned network security assessments — always verify against active change management or pen test engagement tickets covering the source device and network segment; Multi-homed Linux servers, container orchestration nodes (Kubernetes, Docker Swarm), and VPN gateway hosts that legitimately require ip_forward=1 for packet routing and NAT functionality.

T1557.002 Google Chronicle · YARA-L

Detect ARP Cache Poisoning in Google Chronicle

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).

MITRE ATT&CK

Tactic: Credential Access Collection
Technique: T1557 Adversary-in-the-Middle
Sub-technique: T1557.002 ARP Cache Poisoning
Canonical reference: https://attack.mitre.org/techniques/T1557/002/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule T1557_002_ARP_Cache_Poisoning {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects ARP cache poisoning activity via known tool execution, Python Scapy ARP manipulation, arp.exe static entry modification, and IP forwarding enablement as a MITM prerequisite."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1557.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1557/002/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|arpflood|yersinia|cain)`) or
      re.regex($e.target.process.command_line, `(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|yersinia|cain)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(python3?\.exe|/python3?$)`) and
        re.regex($e.target.process.command_line, `(?i)(ARP\(|arp_poison|arp\-poison|sendp\(|Ether\(dst|from scapy|import scapy)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)arp\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(\s\-s\s|\s/s\s|^\-s\s|^/s\s)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)forwarding`) and
        re.regex($e.target.process.command_line, `(?i)enable`)
      ) or
      (
        re.regex($e.target.process.command_line, `(?i)ip_forward`) and
        re.regex($e.target.process.command_line, `=\s*1`)
      )
    )

  condition:
    $e
}

high severity high confidence

Chronicle YARA-L 2.0 rule detecting ARP cache poisoning indicators (T1557.002) including known ARP tool execution, Python Scapy-based ARP injection, Windows arp.exe static entry creation, netsh IP forwarding enablement, and Linux ip_forward sysctl modification. Matches against UDM PROCESS_LAUNCH events.

Data Sources

Google Chronicle SIEMChronicle Unified Data Model (UDM)Windows Event Forwarding ingested via ChronicleLinux auditd/syslog ingested via ChronicleCrowdStrike Falcon via Chronicle integrationCarbon Black via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH)

False Positives & Tuning

Authorized penetration testing teams using bettercap or ettercap during scheduled engagements — correlate alert time with approved penetration testing change tickets.
Security tooling pipelines running Scapy-based automated network tests or packet validation scripts in CI/CD environments with non-production network access.
Linux infrastructure automation (Ansible, Terraform provisioners) enabling ip_forward on router or NAT gateway nodes as part of validated infrastructure-as-code runs.

Download portable Sigma rule (.yml)

Other platforms for T1557.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1ARP Cache Poisoning via arpspoof with IP Forwarding (Linux)
Expected signal: Linux syslog/auditd: process creation events for 'tee' with command 'echo 1 | tee /proc/sys/net/ipv4/ip_forward', followed by 'arpspoof' with arguments '-i lo -t 127.0.0.2 127.0.0.1'. Sysmon for Linux (if deployed): Event ID 1 with Image=/usr/sbin/arpspoof. The /proc/sys/net/ipv4/ip_forward file changes from 0 to 1, detectable via file integrity monitoring or auditd watch on /proc/sys/net/ipv4/.
Test 2Python Scapy Gratuitous ARP Reply Broadcast (Linux/Windows)
Expected signal: Sysmon Event ID 1 (if deployed on Linux) or Linux syslog: python3 process creation with CommandLine containing 'from scapy.all import ARP', 'sendp(', and 'ARP(' keywords. Network-layer: 3 ARP broadcast frames on loopback interface capturable via tcpdump. Sysmon Event ID 3: python3 network activity on loopback.
Test 3Windows ARP Static Entry Injection via arp.exe
Expected signal: Security Event ID 4688 (requires process command line auditing via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking > Audit Process Creation + Enable Command Line in Process Creation Events): NewProcessName=C:\Windows\System32\arp.exe, ProcessCommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff'. Sysmon Event ID 1: Image=arp.exe, CommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff', ParentImage=cmd.exe.
Test 4Windows IP Forwarding Enablement via Netsh (MITM Prerequisite)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine='netsh interface ipv4 set interface Ethernet forwarding=enabled', ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled) with same details. Registry modification (Sysmon Event ID 13) at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}: IPEnableRouter value set to 1.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect ARP Cache Poisoning in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1557.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1557.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox