1. Home
  2. Software
  3. Arp

Arp

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [1]

ID: S0099
Associated Software: arp.exe
Type: TOOL
Platforms: Linux, Windows, macOS
Version: 1.2
Created: 31 May 2017
Last Modified: 16 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1018 Remote System Discovery

Arp can be used to display a host's ARP cache, which may include address resolutions for remote systems.[1][2]
Enterprise T1016 System Network Configuration Discovery

Arp can be used to display ARP configuration information on the host.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[3]
G1043 BlackByte

BlackByte used Arp to identify connected hosts in victim networks.[4]
G0050 APT32

[5]
G0071 Orangeworm

[6]

Campaigns

ID Name Description
C0026 C0026

[7]

References

  1. Microsoft. (n.d.). Arp. Retrieved April 17, 2016.
  2. Palo Alto Networks. (2021, November 24). Cortex XDR Analytics Alert Reference: Uncommon ARP cache listing via arp.exe. Retrieved December 7, 2021.
  3. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  4. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  1. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  2. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  3. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.