T1557.002 CrowdStrike LogScale · LogScale

Detect ARP Cache Poisoning in CrowdStrike LogScale

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.002 ARP Cache Poisoning
Canonical reference
https://attack.mitre.org/techniques/T1557/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|arpflood|yersinia|cain|\/arp\.exe$|\\arp\.exe$|\/netsh\.exe$|\\netsh\.exe$|python3?(\.exe)?$)/
    OR CommandLine = /(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|yersinia|ARP\(|arp_poison|sendp\(|from scapy|import scapy|ip_forward[^a-z])/
| eval is_arp_tool = if(ImageFileName = /(?i)(arpspoof|ettercap|bettercap|nemesis|arp\-sk|arpflood|yersinia|cain)/, 1, 0)
| eval is_scapy = if(ImageFileName = /(?i)python3?(\.exe)?$/ AND CommandLine = /(?i)(ARP\(|arp_poison|arp\-poison|sendp\(|Ether\(dst|from scapy|import scapy)/, 1, 0)
| eval is_arp_static = if(ImageFileName = /(?i)(\\|\/)arp\.exe$/ AND CommandLine = /(?i)(\s\-s\s|\s\/s\s)/, 1, 0)
| eval is_win_ipfwd = if(ImageFileName = /(?i)(\\|\/)netsh\.exe$/ AND CommandLine = /(?i)forwarding/ AND CommandLine = /(?i)enabl/, 1, 0)
| eval is_linux_ipfwd = if(CommandLine = /(?i)ip_forward/ AND CommandLine = /=\s*1/, 1, 0)
| eval detection_type = case(
    is_arp_tool = 1, "known_arp_tool",
    is_scapy = 1, "python_scapy_arp",
    is_arp_static = 1, "arp_static_entry",
    is_win_ipfwd = 1, "windows_ip_forward_enabled",
    is_linux_ipfwd = 1, "linux_ip_forward_enabled",
    true(), null()
  )
| where isNotNull(detection_type)
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_type, aid])
| sort(field=timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon) query detecting ARP cache poisoning activity (T1557.002) via ProcessRollup2 events. Identifies known ARP poisoning tool execution (arpspoof, ettercap, bettercap, yersinia), Python Scapy ARP packet crafting, arp.exe static entry manipulation, and IP forwarding enablement on both Windows (netsh) and Linux (sysctl ip_forward) as MITM prerequisites.

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2)CrowdStrike Falcon LogScaleFalcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • Red team operators using Falcon-excluded whitelisted tools on sanctioned assessment targets — confirm against Falcon exclusion policies and change management records.
  • Network security researchers running Scapy on dedicated analysis workstations with CrowdStrike sensor in monitoring-only mode during approved research windows.
  • Cloud infrastructure automation enabling IP forwarding on Falcon-protected Kubernetes worker nodes or Linux-based NAT gateways during planned provisioning cycles.
Download portable Sigma rule (.yml)

Other platforms for T1557.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ARP Cache Poisoning via arpspoof with IP Forwarding (Linux)

    Expected signal: Linux syslog/auditd: process creation events for 'tee' with command 'echo 1 | tee /proc/sys/net/ipv4/ip_forward', followed by 'arpspoof' with arguments '-i lo -t 127.0.0.2 127.0.0.1'. Sysmon for Linux (if deployed): Event ID 1 with Image=/usr/sbin/arpspoof. The /proc/sys/net/ipv4/ip_forward file changes from 0 to 1, detectable via file integrity monitoring or auditd watch on /proc/sys/net/ipv4/.

  2. Test 2Python Scapy Gratuitous ARP Reply Broadcast (Linux/Windows)

    Expected signal: Sysmon Event ID 1 (if deployed on Linux) or Linux syslog: python3 process creation with CommandLine containing 'from scapy.all import ARP', 'sendp(', and 'ARP(' keywords. Network-layer: 3 ARP broadcast frames on loopback interface capturable via tcpdump. Sysmon Event ID 3: python3 network activity on loopback.

  3. Test 3Windows ARP Static Entry Injection via arp.exe

    Expected signal: Security Event ID 4688 (requires process command line auditing via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking > Audit Process Creation + Enable Command Line in Process Creation Events): NewProcessName=C:\Windows\System32\arp.exe, ProcessCommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff'. Sysmon Event ID 1: Image=arp.exe, CommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff', ParentImage=cmd.exe.

  4. Test 4Windows IP Forwarding Enablement via Netsh (MITM Prerequisite)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine='netsh interface ipv4 set interface Ethernet forwarding=enabled', ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled) with same details. Registry modification (Sysmon Event ID 13) at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}: IPEnableRouter value set to 1.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.003DHCP SpoofingT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1565.002Transmitted Data ManipulationT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1550.002Pass the HashT1110.002Password CrackingT1090.001Internal ProxyT1056.001Keylogging

Same Tactic: Credential Access

Popular Detections