S0099 Arp
Arp displays and modifies information about a system’s Address Resolution Protocol (ARP) cache. 1
| Item | Value |
|---|---|
| ID | S0099 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1018 | Remote System Discovery | Arp can be used to display a host’s ARP cache, which may include address resolutions for remote systems.12 |
| enterprise | T1016 | System Network Configuration Discovery | Arp can be used to display ARP configuration information on the host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 4 |
| G1043 | BlackByte | BlackByte used Arp to identify connected hosts in victim networks.5 |
| G0050 | APT32 | 6 |
| G0071 | Orangeworm | 7 |
References
-
Palo Alto Networks. (2021, November 24). Cortex XDR Analytics Alert Reference: Uncommon ARP cache listing via arp.exe. Retrieved December 7, 2021. ↩
-
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. ↩
-
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩
-
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. ↩