S0099 Arp
Arp displays and modifies information about a system’s Address Resolution Protocol (ARP) cache. 1
| Item | Value |
|---|---|
| ID | S0099 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 07 December 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1018 | Remote System Discovery | Arp can be used to display a host’s ARP cache, which may include address resolutions for remote systems.12 |
| enterprise | T1016 | System Network Configuration Discovery | Arp can be used to display ARP configuration information on the host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0071 | Orangeworm | 3 |
| G0050 | APT32 | 4 |
| G0010 | Turla | 5 |
References
-
Palo Alto Networks. (2021, November 24). Cortex XDR Analytics Alert Reference: Uncommon ARP cache listing via arp.exe. Retrieved December 7, 2021. ↩
-
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. ↩