Detect ARP Cache Poisoning in Microsoft Sentinel
Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.002 ARP Cache Poisoning
- Canonical reference
- https://attack.mitre.org/techniques/T1557/002/
KQL Detection Query
let ARPPoisoningTools = dynamic(["arpspoof", "ettercap", "bettercap", "nemesis", "arp-sk", "arpflood", "yersinia", "cain"]);
let ScapyARPPatterns = dynamic(["ARP(", "arp_poison", "arp-poison", "sendp(", "Ether(dst", "scapy"]);
// Known ARP poisoning tool execution
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ARPPoisoningTools)
or ProcessCommandLine has_any (ARPPoisoningTools)
| extend DetectionType = "Known ARP Poisoning Tool";
// Python scapy-based ARP packet injection
let ScapyARP = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python.exe", "python3.exe", "python", "python3")
| where ProcessCommandLine has_any (ScapyARPPatterns)
| extend DetectionType = "Python Scapy ARP Manipulation";
// Static ARP entry manipulation via arp.exe (Windows)
let ARPStaticEntry = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "arp.exe"
| where ProcessCommandLine has_any ("-s ", "/s ")
| extend DetectionType = "ARP Static Entry Modification";
// IP forwarding enablement via netsh (Windows MITM prerequisite)
let IPForwardingNetsh = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "forwarding"
and ProcessCommandLine has_any ("enable", "enabled")
| extend DetectionType = "IP Forwarding Enabled via Netsh";
// IP forwarding enablement via sysctl (Linux MITM prerequisite)
let LinuxIPForward = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sysctl", "bash", "sh", "zsh", "tee")
| where ProcessCommandLine has "ip_forward"
and (ProcessCommandLine has "=1" or ProcessCommandLine has "= 1")
| extend DetectionType = "Linux IP Forwarding Enabled";
union ToolExecution, ScapyARP, ARPStaticEntry, IPForwardingNetsh, LinuxIPForward
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType
| sort by Timestamp descDetects ARP cache poisoning activity through multiple host-based telemetry signals in Microsoft Defender for Endpoint. Identifies execution of known ARP poisoning tools (arpspoof, ettercap, bettercap, nemesis, yersinia), Python scapy-based ARP packet crafting, static ARP entry modification via arp.exe, and IP forwarding enablement on both Windows (netsh) and Linux (sysctl) — the near-universal prerequisite for effective MITM. All sub-queries are unioned into a single alert stream with DetectionType labels for analyst triage. Confidence is medium because host-based telemetry captures tool execution but not the underlying ARP packet injection at the network layer.
Data Sources
Required Tables
False Positives & Tuning
- Network administrators using arp.exe -s to configure static ARP entries as a legitimate defense against ARP poisoning or to maintain persistent MAC-to-IP mappings for critical infrastructure devices such as printers and servers
- Authorized penetration testers or red teams executing ettercap, bettercap, or arpspoof during sanctioned network security assessments — always verify against active change management or pen test engagement tickets covering the source device and network segment
- Multi-homed Linux servers, container orchestration nodes (Kubernetes, Docker Swarm), and VPN gateway hosts that legitimately require ip_forward=1 for packet routing and NAT functionality
- Python network automation engineers or security researchers using scapy for legitimate packet crafting, NIDS signature testing, or network protocol development in lab environments
- Network monitoring solutions (arpwatch, XArp, commercial NAC products) that use ARP-related binary names or scapy internally for passive ARP anomaly detection without injecting forged replies
Other platforms for T1557.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ARP Cache Poisoning via arpspoof with IP Forwarding (Linux)
Expected signal: Linux syslog/auditd: process creation events for 'tee' with command 'echo 1 | tee /proc/sys/net/ipv4/ip_forward', followed by 'arpspoof' with arguments '-i lo -t 127.0.0.2 127.0.0.1'. Sysmon for Linux (if deployed): Event ID 1 with Image=/usr/sbin/arpspoof. The /proc/sys/net/ipv4/ip_forward file changes from 0 to 1, detectable via file integrity monitoring or auditd watch on /proc/sys/net/ipv4/.
- Test 2Python Scapy Gratuitous ARP Reply Broadcast (Linux/Windows)
Expected signal: Sysmon Event ID 1 (if deployed on Linux) or Linux syslog: python3 process creation with CommandLine containing 'from scapy.all import ARP', 'sendp(', and 'ARP(' keywords. Network-layer: 3 ARP broadcast frames on loopback interface capturable via tcpdump. Sysmon Event ID 3: python3 network activity on loopback.
- Test 3Windows ARP Static Entry Injection via arp.exe
Expected signal: Security Event ID 4688 (requires process command line auditing via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking > Audit Process Creation + Enable Command Line in Process Creation Events): NewProcessName=C:\Windows\System32\arp.exe, ProcessCommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff'. Sysmon Event ID 1: Image=arp.exe, CommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff', ParentImage=cmd.exe.
- Test 4Windows IP Forwarding Enablement via Netsh (MITM Prerequisite)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine='netsh interface ipv4 set interface Ethernet forwarding=enabled', ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled) with same details. Registry modification (Sysmon Event ID 13) at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}: IPEnableRouter value set to 1.
References (10)
- https://attack.mitre.org/techniques/T1557/002/
- https://tools.ietf.org/html/rfc826
- https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411
- https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.002/T1557.002.md
- https://linux.die.net/man/8/arpspoof
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-dynamic-arp-inspection
- https://scapy.readthedocs.io/en/latest/usage.html#arp-ping
- https://www.cisecurity.org/controls/v8/
- https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in
Unlock Pro Content
Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.