Detect ARP Cache Poisoning in Elastic Security
Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.002 ARP Cache Poisoning
- Canonical reference
- https://attack.mitre.org/techniques/T1557/002/
Elastic Detection Query
process where event.type == "start" and (
process.name : ("arpspoof", "ettercap", "bettercap", "nemesis", "arp-sk", "arpflood", "yersinia", "cain") or
process.args : ("arpspoof", "ettercap", "bettercap", "nemesis", "arp-sk", "arpflood", "yersinia", "cain") or
(
process.name : ("python", "python3", "python.exe", "python3.exe") and
process.command_line : ("*ARP(*", "*arp_poison*", "*arp-poison*", "*sendp(*", "*Ether(dst*", "*from scapy*", "*import scapy*")
) or
(
process.name : "arp.exe" and
process.command_line : ("* -s *", "* /s *", "*-s *", "*/s *")
) or
(
process.name : "netsh.exe" and
process.command_line : "*forwarding*" and
process.command_line : ("*enable*", "*enabled*")
) or
(
process.name : ("sysctl", "bash", "sh", "zsh", "tee", "dash") and
process.command_line : "*ip_forward*" and
process.command_line : ("*=1*", "*= 1*")
)
)Detects ARP cache poisoning activity (T1557.002) via known ARP manipulation tool execution, Python Scapy-based packet injection, static ARP entry creation via arp.exe, and IP forwarding enablement as a MITM prerequisite on both Windows (netsh) and Linux (sysctl/proc).
Data Sources
Required Tables
False Positives & Tuning
- Network administrators legitimately using arpspoof or bettercap during authorized penetration testing or red team exercises on the local network segment.
- Security researchers and CTF participants running Scapy-based scripts in isolated lab environments for protocol analysis or education.
- System administrators adding persistent static ARP entries via arp.exe -s to protect critical servers from ARP spoofing attacks (defensive use).
- IT operations enabling IP forwarding on Linux routers or gateway hosts as part of legitimate routing infrastructure configuration (e.g., VPN gateways, NAT boxes).
Other platforms for T1557.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ARP Cache Poisoning via arpspoof with IP Forwarding (Linux)
Expected signal: Linux syslog/auditd: process creation events for 'tee' with command 'echo 1 | tee /proc/sys/net/ipv4/ip_forward', followed by 'arpspoof' with arguments '-i lo -t 127.0.0.2 127.0.0.1'. Sysmon for Linux (if deployed): Event ID 1 with Image=/usr/sbin/arpspoof. The /proc/sys/net/ipv4/ip_forward file changes from 0 to 1, detectable via file integrity monitoring or auditd watch on /proc/sys/net/ipv4/.
- Test 2Python Scapy Gratuitous ARP Reply Broadcast (Linux/Windows)
Expected signal: Sysmon Event ID 1 (if deployed on Linux) or Linux syslog: python3 process creation with CommandLine containing 'from scapy.all import ARP', 'sendp(', and 'ARP(' keywords. Network-layer: 3 ARP broadcast frames on loopback interface capturable via tcpdump. Sysmon Event ID 3: python3 network activity on loopback.
- Test 3Windows ARP Static Entry Injection via arp.exe
Expected signal: Security Event ID 4688 (requires process command line auditing via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking > Audit Process Creation + Enable Command Line in Process Creation Events): NewProcessName=C:\Windows\System32\arp.exe, ProcessCommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff'. Sysmon Event ID 1: Image=arp.exe, CommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff', ParentImage=cmd.exe.
- Test 4Windows IP Forwarding Enablement via Netsh (MITM Prerequisite)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine='netsh interface ipv4 set interface Ethernet forwarding=enabled', ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled) with same details. Registry modification (Sysmon Event ID 13) at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}: IPEnableRouter value set to 1.
References (10)
- https://attack.mitre.org/techniques/T1557/002/
- https://tools.ietf.org/html/rfc826
- https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411
- https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.002/T1557.002.md
- https://linux.die.net/man/8/arpspoof
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-dynamic-arp-inspection
- https://scapy.readthedocs.io/en/latest/usage.html#arp-ping
- https://www.cisecurity.org/controls/v8/
- https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in
Unlock Pro Content
Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.