T1557.002 IBM QRadar · QRadar

Detect ARP Cache Poisoning in IBM QRadar

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.002 ARP Cache Poisoning
Canonical reference
https://attack.mitre.org/techniques/T1557/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS src_ip,
  username AS user,
  "process" AS process_name,
  "cmdline" AS command_line,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  CASE
    WHEN LOWER("process") SIMILAR TO '%(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain)%'
      THEN 'known_arp_tool'
    WHEN LOWER("process") SIMILAR TO '%(python|python3)%'
         AND LOWER("cmdline") SIMILAR TO '%(arp(|arp_poison|arp-poison|sendp(|from scapy|import scapy)%'
      THEN 'python_scapy_arp'
    WHEN LOWER("process") SIMILAR TO '%arp.exe%'
         AND LOWER("cmdline") SIMILAR TO '%( -s | /s )%'
      THEN 'arp_static_entry'
    WHEN LOWER("process") SIMILAR TO '%netsh.exe%'
         AND LOWER("cmdline") SIMILAR TO '%forwarding%'
         AND LOWER("cmdline") SIMILAR TO '%enable%'
      THEN 'windows_ip_forwarding_enabled'
    WHEN LOWER("cmdline") SIMILAR TO '%ip_forward%'
         AND (LOWER("cmdline") SIMILAR TO '%=1%' OR LOWER("cmdline") SIMILAR TO '%= 1%')
      THEN 'linux_ip_forwarding_enabled'
    ELSE 'unknown'
  END AS detection_type
FROM events
WHERE
  (
    LOGSOURCETYPEID IN (12, 29, 214, 352, 433)
    OR CATEGORYNAME(category) IN ('Operating System', 'Authentication', 'Host Definition')
  )
  AND
  (
    LOWER("process") SIMILAR TO '%(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain)%'
    OR
    (
      LOWER("process") SIMILAR TO '%(python|python3)%'
      AND LOWER("cmdline") SIMILAR TO '%(arp(|arp_poison|sendp(|from scapy|import scapy)%'
    )
    OR
    (
      LOWER("process") SIMILAR TO '%arp.exe%'
      AND LOWER("cmdline") SIMILAR TO '%( -s | /s )%'
    )
    OR
    (
      LOWER("process") SIMILAR TO '%netsh.exe%'
      AND LOWER("cmdline") SIMILAR TO '%forwarding%'
      AND LOWER("cmdline") SIMILAR TO '%enable%'
    )
    OR
    (
      LOWER("cmdline") SIMILAR TO '%ip_forward%'
      AND (LOWER("cmdline") SIMILAR TO '%=1%' OR LOWER("cmdline") SIMILAR TO '%= 1%')
    )
  )
LAST 24 HOURS
high severity medium confidence

AQL rule detecting ARP cache poisoning tool execution, Scapy-based ARP packet injection, arp.exe static entry manipulation, and IP forwarding enablement (Windows and Linux) as indicators of adversary-in-the-middle staging for T1557.002.

Data Sources

IBM QRadar SIEMWindows Security Event Log (WinCollect/WEF)Sysmon via WinCollectLinux auditd via syslogDSM: Microsoft Windows Security Event LogDSM: Linux OS

Required Tables

events

False Positives & Tuning

  • Authorized internal penetration testing teams running ettercap or bettercap during scheduled assessments — correlate with change management tickets.
  • Network engineering teams enabling IP forwarding on Linux-based routers, firewalls, or VPN concentrators as part of planned infrastructure changes.
  • Security operations running Scapy-based network diagnostic or packet crafting tools during incident response investigations on isolated segments.
Download portable Sigma rule (.yml)

Other platforms for T1557.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ARP Cache Poisoning via arpspoof with IP Forwarding (Linux)

    Expected signal: Linux syslog/auditd: process creation events for 'tee' with command 'echo 1 | tee /proc/sys/net/ipv4/ip_forward', followed by 'arpspoof' with arguments '-i lo -t 127.0.0.2 127.0.0.1'. Sysmon for Linux (if deployed): Event ID 1 with Image=/usr/sbin/arpspoof. The /proc/sys/net/ipv4/ip_forward file changes from 0 to 1, detectable via file integrity monitoring or auditd watch on /proc/sys/net/ipv4/.

  2. Test 2Python Scapy Gratuitous ARP Reply Broadcast (Linux/Windows)

    Expected signal: Sysmon Event ID 1 (if deployed on Linux) or Linux syslog: python3 process creation with CommandLine containing 'from scapy.all import ARP', 'sendp(', and 'ARP(' keywords. Network-layer: 3 ARP broadcast frames on loopback interface capturable via tcpdump. Sysmon Event ID 3: python3 network activity on loopback.

  3. Test 3Windows ARP Static Entry Injection via arp.exe

    Expected signal: Security Event ID 4688 (requires process command line auditing via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking > Audit Process Creation + Enable Command Line in Process Creation Events): NewProcessName=C:\Windows\System32\arp.exe, ProcessCommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff'. Sysmon Event ID 1: Image=arp.exe, CommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff', ParentImage=cmd.exe.

  4. Test 4Windows IP Forwarding Enablement via Netsh (MITM Prerequisite)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine='netsh interface ipv4 set interface Ethernet forwarding=enabled', ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled) with same details. Registry modification (Sysmon Event ID 13) at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}: IPEnableRouter value set to 1.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.003DHCP SpoofingT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1565.002Transmitted Data ManipulationT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1550.002Pass the HashT1110.002Password CrackingT1090.001Internal ProxyT1056.001Keylogging

Same Tactic: Credential Access

Popular Detections