T1557.002 Sumo Logic CSE · Sumo

Detect ARP Cache Poisoning in Sumo Logic CSE

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040).

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.002 ARP Cache Poisoning
Canonical reference
https://attack.mitre.org/techniques/T1557/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows/sysmon* OR _sourceCategory=*windows/security* OR _sourceCategory=*linux/secure* OR _sourceCategory=*linux/audit* OR _sourceCategory=*endpoint*)
| where _raw matches /(?i)(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain|ip_forward|arp\.exe|netsh|scapy|sendp)/
| parse regex "(?i)(?:Image|process_name|exe)(?:>|=|\")\s*(?P<process>[^\s<\"]+)" nodrop
| parse regex "(?i)(?:CommandLine|cmdline|command)(?:>|=|\")\s*(?P<cmdline>[^<\"]{1,512})" nodrop
| parse regex "(?i)(?:User|uid|acct)(?:>|=|\")\s*(?P<user>[^<\"\s]+)" nodrop
| parse regex "(?i)(?:ParentImage|parent_image)(?:>|=|\")\s*(?P<parent_process>[^<\"]+)" nodrop
| if(isNull(process), "", toLowerCase(process)) as process
| if(isNull(cmdline), "", toLowerCase(cmdline)) as cmdline
| if(isNull(user), "unknown", user) as user
| if(isNull(parent_process), "", toLowerCase(parent_process)) as parent_process
| where process matches /(?i).*(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain).*/ OR
  (process matches /(?i).*python[3]?.*/ AND cmdline matches /(?i).*(arp\(|arp_poison|arp-poison|sendp\(|from scapy|import scapy).*/) OR
  (process matches /(?i).*arp\.exe.*/ AND cmdline matches /(?i).*(-s|/s)\s+\d{1,3}\..*/) OR
  (process matches /(?i).*netsh\.exe.*/ AND cmdline matches /(?i).*forwarding.*/ AND cmdline matches /(?i).*enable.*/) OR
  (cmdline matches /.*ip_forward.*/ AND cmdline matches /.*(=1|= 1).*/)
| eval detection_type = if(process matches /(?i).*(arpspoof|ettercap|bettercap|nemesis|arp-sk|arpflood|yersinia|cain).*/, "known_arp_tool",
    if(process matches /(?i).*python[3]?.*/ AND cmdline matches /(?i).*(arp\(|arp_poison|sendp\(|from scapy|import scapy).*/, "python_scapy_arp",
    if(process matches /(?i).*arp\.exe.*/ AND cmdline matches /(-s|/s)\s/, "arp_static_entry",
    if(process matches /(?i).*netsh\.exe.*/ AND cmdline matches /forwarding/ AND cmdline matches /enable/, "windows_ip_forward_enabled",
    if(cmdline matches /ip_forward/ AND cmdline matches /(=1|= 1)/, "linux_ip_forward_enabled", "unclassified")))))
| where detection_type != "unclassified"
| count by _messageTime, _sourceHost, user, process, cmdline, parent_process, detection_type
| sort by _messageTime desc
high severity medium confidence

Sumo Logic query detecting ARP cache poisoning indicators including known tool execution, Scapy ARP packet injection, arp.exe static entry manipulation, and IP forwarding enablement on Windows and Linux hosts for MITRE ATT&CK T1557.002.

Data Sources

Sumo Logic Installed Collector (Windows)Sumo Logic Installed Collector (Linux)Sysmon for Windows via Sumo Logic sourceLinux auditd/syslog via Sumo Logic sourceSumo Logic Cloud SIEM Enterprise (normalized)

Required Tables

_sourceCategory=*windows/sysmon*_sourceCategory=*windows/security*_sourceCategory=*linux/secure*_sourceCategory=*linux/audit*

False Positives & Tuning

  • Red team or penetration testers using ettercap, bettercap, or arpspoof during authorized assessments within a defined change window — validate against approved testing schedule.
  • Network administrators creating static ARP entries via arp.exe -s as a defensive measure to protect gateway or DNS server MAC bindings from spoofing.
  • DevOps or platform engineers enabling ip_forward on container hosts (Docker, Kubernetes nodes) or Linux-based network appliances during infrastructure provisioning.
Download portable Sigma rule (.yml)

Other platforms for T1557.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ARP Cache Poisoning via arpspoof with IP Forwarding (Linux)

    Expected signal: Linux syslog/auditd: process creation events for 'tee' with command 'echo 1 | tee /proc/sys/net/ipv4/ip_forward', followed by 'arpspoof' with arguments '-i lo -t 127.0.0.2 127.0.0.1'. Sysmon for Linux (if deployed): Event ID 1 with Image=/usr/sbin/arpspoof. The /proc/sys/net/ipv4/ip_forward file changes from 0 to 1, detectable via file integrity monitoring or auditd watch on /proc/sys/net/ipv4/.

  2. Test 2Python Scapy Gratuitous ARP Reply Broadcast (Linux/Windows)

    Expected signal: Sysmon Event ID 1 (if deployed on Linux) or Linux syslog: python3 process creation with CommandLine containing 'from scapy.all import ARP', 'sendp(', and 'ARP(' keywords. Network-layer: 3 ARP broadcast frames on loopback interface capturable via tcpdump. Sysmon Event ID 3: python3 network activity on loopback.

  3. Test 3Windows ARP Static Entry Injection via arp.exe

    Expected signal: Security Event ID 4688 (requires process command line auditing via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Detailed Tracking > Audit Process Creation + Enable Command Line in Process Creation Events): NewProcessName=C:\Windows\System32\arp.exe, ProcessCommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff'. Sysmon Event ID 1: Image=arp.exe, CommandLine='arp -s 192.0.2.1 aa-bb-cc-dd-ee-ff', ParentImage=cmd.exe.

  4. Test 4Windows IP Forwarding Enablement via Netsh (MITM Prerequisite)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netsh.exe, CommandLine='netsh interface ipv4 set interface Ethernet forwarding=enabled', ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled) with same details. Registry modification (Sysmon Event ID 13) at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}: IPEnableRouter value set to 1.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1557.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.003DHCP SpoofingT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1565.002Transmitted Data ManipulationT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1550.002Pass the HashT1110.002Password CrackingT1090.001Internal ProxyT1056.001Keylogging

Same Tactic: Credential Access

Popular Detections