T1557.002 Splunk · SPL

Detect ARP Cache Poisoning in Splunk

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.002 ARP Cache Poisoning
Canonical reference
https://attack.mitre.org/techniques/T1557/002/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval process=lower(coalesce(Image, exe, process_name, ""))
| eval cmdline=lower(coalesce(CommandLine, cmdline, command, ""))
| eval user=coalesce(User, uid, acct, "unknown")
| eval src_host=coalesce(host, hostname, "unknown")
| eval detection_type=case(
    match(process, "(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain)"), "known_arp_tool",
    match(cmdline, "(arpspoof|ettercap|bettercap|nemesis|arp-sk|yersinia)") AND NOT match(process, "(grep|find|cat|less|more|strings)"), "arp_tool_in_cmdline",
    match(process, "(python|python3)") AND match(cmdline, "(arp\(|sendp\(|arp_poison|arp-poison|from scapy|import scapy)"), "python_scapy_arp",
    match(process, "arp\.exe") AND match(cmdline, "(-s|/s)\s"), "arp_static_entry",
    match(cmdline, "(net\.ipv4\.ip_forward|ip_forward)") AND match(cmdline, "(=1|= 1)"), "linux_ip_forward_enabled",
    match(process, "netsh\.exe") AND match(cmdline, "forwarding") AND match(cmdline, "enable"), "windows_ip_forward_enabled",
    true(), null()
  )
| where isnotnull(detection_type)
| eval parent_process=coalesce(ParentImage, parent_image, pprocess, "")
| eval parent_cmdline=coalesce(ParentCommandLine, parent_cmdline, "")
| table _time, src_host, user, process, cmdline, parent_process, parent_cmdline, detection_type
| sort - _time
high severity medium confidence

Detects ARP cache poisoning activity across Windows and Linux endpoints using Sysmon process creation events (EventCode=1) and Linux syslog/auditd process logs. Evaluates process names and command lines against known ARP poisoning tool signatures, Python scapy ARP manipulation patterns, static ARP entry modification, and IP forwarding enablement on both platforms. The detection_type field categorizes each alert for analyst triage. Covers the full attack setup chain: IP forwarding enablement followed by ARP tool execution is the highest-fidelity signal.

Data Sources

Process: Process CreationCommand: Command ExecutionLinux: SyslogLinux: AuditdSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationallinux_securesyslog

False Positives & Tuning

  • Network administrators using arp.exe -s for static ARP entries on critical infrastructure devices
  • Authorized penetration testers running ettercap, bettercap, or arpspoof during sanctioned security assessments — verify against active engagement tickets
  • Linux routing infrastructure (Kubernetes nodes, VPN gateways, container hosts) with legitimate ip_forward=1 configuration — build allowlists for known router hostnames
  • Python network automation and security research scripts using scapy for packet crafting and protocol testing in development environments
  • Network monitoring tools using ARP-related tooling passively — filter on tool command-line arguments indicating passive listen mode vs. active poisoning
Download portable Sigma rule (.yml)

Other platforms for T1557.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ARP Cache Poisoning via arpspoof with IP Forwarding (Linux)

    Expected signal: Linux syslog/auditd: process creation events for 'tee' with command 'echo 1 | tee /proc/sys/net/ipv4/ip_forward', followed by 'arpspoof' with arguments '-i lo -t 127.0.0.2 127.0.0.1'. Sysmon for Linux (if deployed): Event ID 1 with Image=/usr/sbin/arpspoof. The /proc/sys/net/ipv4/ip_forward file changes from 0 to 1, detectable via file integrity monitoring or auditd watch on /proc/sys/net/ipv4/.

  2. Test 2Python Scapy Gratuitous ARP Reply Broadcast (Linux/Windows)

    Expected signal: Sysmon Event ID 1 (if deployed on Linux) or Linux syslog: python3 process creation with CommandLine containing 'from scapy.all import ARP', 'sendp(', and 'ARP(' keywords. Network-layer: 3 ARP broadcast frames on loopback interface capturable via tcpdump. Sysmon Event ID 3: python3 network activity on loopback.

  3. Test 3Windows ARP Static Entry Injection via arp.exe

    Expected signal: Security Event ID 4688 (requires process command line auditing via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking > Audit Process Creation + Enable Command Line in Process Creation Events): NewProcessName=C:\Windows\System32\arp.exe, ProcessCommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff'. Sysmon Event ID 1: Image=arp.exe, CommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff', ParentImage=cmd.exe.

  4. Test 4Windows IP Forwarding Enablement via Netsh (MITM Prerequisite)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine='netsh interface ipv4 set interface Ethernet forwarding=enabled', ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled) with same details. Registry modification (Sysmon Event ID 13) at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}: IPEnableRouter value set to 1.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.003DHCP SpoofingT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1565.002Transmitted Data ManipulationT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1550.002Pass the HashT1110.002Password CrackingT1090.001Internal ProxyT1056.001Keylogging

Same Tactic: Credential Access

Popular Detections