1. Home
  2. Software
  3. Arp

Arp

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [1]

ID: S0099
Associated Software: arp.exe
Type: TOOL
Platforms: Linux, Windows, macOS
Version: 1.3
Created: 31 May 2017
Last Modified: 17 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1018 Remote System Discovery

Arp can be used to display a host's ARP cache, which may include address resolutions for remote systems.[1][2]
Enterprise T1016 System Network Configuration Discovery

Arp can be used to display ARP configuration information on the host.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[3]
G1043 BlackByte

BlackByte used Arp to identify connected hosts in victim networks.[4]
G0050 APT32

[5]
G0071 Orangeworm

[6]
G1054 MirrorFace

[7][8]

Campaigns

ID Name Description
C0063 2025 Poland Wiper Attacks

During the 2025 Poland Wiper Attacks, the adversaries used Arp to write to a file named outlog.txt, including: currently running processes, network connections, routing tables, ARP cache, and the contents of user directories.[9]
C0026 C0026

[10]
C0060 Operation AkaiRyū

During Operation AkaiRyū, MirrorFace used Arp for discovery.[7]

References

  1. Microsoft. (n.d.). Arp. Retrieved April 17, 2016.
  2. Palo Alto Networks. (2021, November 24). Cortex XDR Analytics Alert Reference: Uncommon ARP cache listing via arp.exe. Retrieved December 7, 2021.
  3. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  4. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  5. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  1. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  2. Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
  3. Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
  4. CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
  5. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.