1. Home
  2. Detection Strategies
  3. Detect ARP Cache Poisoning Across Linux, Windows, and macOS

Detect ARP Cache Poisoning Across Linux, Windows, and macOS

Technique Detected:  ARP Cache Poisoning | T1557.002

ID: DET0387
Domains: Enterprise
Analytics: AN1091, AN1092, AN1093
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1091

Detects anomalous ARP traffic or cache modifications on Windows endpoints that indicate ARP poisoning. Behavioral focus is on multiple IP addresses resolving to a single MAC, or unsolicited ARP replies from unauthorized devices.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Network Traffic Flow (DC0078) WinEventLog:Security ARP cache modification attempts observed through event tracing or security baselines
Mutable Elements
Field Description
TrustedGatewayMAC Expected MAC address for default gateways; deviations may indicate poisoning.
TimeWindow Correlation interval for repeated unsolicited ARP replies.

AN1092

Detects suspicious gratuitous ARP responses or inconsistent IP-to-MAC mappings using auditd and packet capture. Behavioral focus is on unsolicited replies overriding legitimate ARP ownership.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) auditd:SYSCALL setsockopt, ioctl modifying ARP entries
Network Traffic Flow (DC0078) NSM:Flow Gratuitous ARP replies with mismatched IP-MAC binding
Mutable Elements
Field Description
AllowedARPUpdates Expected legitimate IP-to-MAC updates for servers or virtual routers.
AlertThreshold Number of anomalous ARP packets per second before triggering detection.

AN1093

Detects anomalous ARP cache changes and unsolicited ARP broadcasts using unified logs and packet capture. Behavioral detection includes multiple IP addresses mapped to the same MAC address and repeated gratuitous ARP traffic.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:unifiedlog ARP table updates inconsistent with expected gateway or DHCP lease assignments
Network Traffic Content (DC0085) NSM:Flow Excessive gratuitous ARP replies on local subnet
Mutable Elements
Field Description
GatewayMACBaseline Known MAC addresses for gateways or DHCP servers; used to detect spoofed ARP entries.
CorrelationDepth How many ARP inconsistencies to tolerate before escalating detection.