DET0387 Detect ARP Cache Poisoning Across Linux, Windows, and macOS
| Item |
Value |
| ID |
DET0387 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1557.002 (ARP Cache Poisoning)
Analytics
Windows
AN1091
Detects anomalous ARP traffic or cache modifications on Windows endpoints that indicate ARP poisoning. Behavioral focus is on multiple IP addresses resolving to a single MAC, or unsolicited ARP replies from unauthorized devices.
Log Sources
Mutable Elements
| Field |
Description |
| TrustedGatewayMAC |
Expected MAC address for default gateways; deviations may indicate poisoning. |
| TimeWindow |
Correlation interval for repeated unsolicited ARP replies. |
Linux
AN1092
Detects suspicious gratuitous ARP responses or inconsistent IP-to-MAC mappings using auditd and packet capture. Behavioral focus is on unsolicited replies overriding legitimate ARP ownership.
Log Sources
Mutable Elements
| Field |
Description |
| AllowedARPUpdates |
Expected legitimate IP-to-MAC updates for servers or virtual routers. |
| AlertThreshold |
Number of anomalous ARP packets per second before triggering detection. |
macOS
AN1093
Detects anomalous ARP cache changes and unsolicited ARP broadcasts using unified logs and packet capture. Behavioral detection includes multiple IP addresses mapped to the same MAC address and repeated gratuitous ARP traffic.
Log Sources
Mutable Elements
| Field |
Description |
| GatewayMACBaseline |
Known MAC addresses for gateways or DHCP servers; used to detect spoofed ARP entries. |
| CorrelationDepth |
How many ARP inconsistencies to tolerate before escalating detection. |