title: ARP Cache Poisoning (T1557.002)
id: df00tech-t1557-002
status: experimental
description: "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. ARP Cache Poisoning enables adversary-in-the-middle attacks by associating the adversary's MAC address with a legitimate IP address in the ARP caches of victim devices, allowing interception and manipulation of network traffic. The stateless, unauthenticated nature of ARP means devices accept unsolicited replies, enabling gratuitous ARP broadcast attacks against entire subnets. Used by threat groups including Operation Cleaver (Iranian APT) for credential theft via custom tooling, and LuminousMoth for traffic redirection to actor-controlled infrastructure. Primary use cases include credential harvesting from unencrypted protocols (HTTP, FTP, SMTP, NTLM), session hijacking, and data manipulation as a precursor to Transmitted Data Manipulation (T1565.002) or Network Sniffing (T1040)."
references:
  - https://attack.mitre.org/techniques/T1557/002/
  - https://df00tech.com/detections/T1557.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1557.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Network administrators using arp.exe -s to configure static ARP entries as a legitimate defense against ARP poisoning or to maintain persistent MAC-to-IP mappings for critical infrastructure devices such as printers and servers
  - "Authorized penetration testers or red teams executing ettercap, bettercap, or arpspoof during sanctioned network security assessments — always verify against active change management or pen test engagement tickets covering the source device and network segment"
  - "Multi-homed Linux servers, container orchestration nodes (Kubernetes, Docker Swarm), and VPN gateway hosts that legitimately require ip_forward=1 for packet routing and NAT functionality"
  - "Python network automation engineers or security researchers using scapy for legitimate packet crafting, NIDS signature testing, or network protocol development in lab environments"
  - "Network monitoring solutions (arpwatch, XArp, commercial NAC products) that use ARP-related binary names or scapy internally for passive ARP anomaly detection without injecting forged replies"
level: high