Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Hour |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
The arp.exe command is used to display and modify entries in the Address Resolution Protocol (ARP) cache. Adversaries may attempt to use the command to discover remote systems they could compromise.
Attacker's Goals
Adversaries may attempt to use the command to discover remote systems they could compromise.
Investigative actions
Check whether the initiating process is allowed in your organization. (If the parent process is cmd.exe, check the process that spawned it).