AN1091: Analytic 1091
Detects anomalous ARP traffic or cache modifications on Windows endpoints that indicate ARP poisoning. Behavioral focus is on multiple IP addresses resolving to a single MAC, or unsolicited ARP replies from unauthorized devices.
Analyst context for executives and security teams
This analytic matters because ARP poisoning can redirect or observe local network traffic from Windows endpoints, creating risk to session confidentiality, operational availability, and incident scope containment. For leaders, the practical question is whether the organization can see suspicious local network behavior before it becomes a broader investigation problem, especially on sensitive segments where endpoint-to-endpoint trust is often assumed.
Executive priority
Prioritize this as a network visibility and endpoint readiness question for Windows environments. Security leaders should ask whether SOC teams collect enough endpoint and local-network evidence to prove or disprove ARP poisoning, whether high-value network segments have controls against unauthorized devices, and whether incident response playbooks include local network manipulation as a possible cause of anomalous traffic paths or credential exposure.
Technical view
AN1091 is a Windows-focused detection analytic for anomalous ARP traffic or ARP cache modification patterns indicating possible ARP poisoning. The key behaviors called out are multiple IP addresses resolving to a single MAC address and unsolicited ARP replies from unauthorized devices. SOC and detection teams should validate whether Windows endpoint telemetry, network sensor data, and asset authorization data can be correlated to distinguish legitimate infrastructure behavior from suspicious ARP resolution changes.
Likely telemetry
- Windows endpoint network state or ARP cache observations
- ARP request/reply traffic from local network sensors where available
- Mappings of IP addresses to MAC addresses over time
- Authorized device and network infrastructure inventory
- Endpoint and subnet context for Windows systems on monitored network segments
Detection direction
- Validate whether telemetry can identify multiple IP addresses resolving to one MAC address on the same segment.
- Look for unsolicited ARP replies, especially from devices not present in authorized asset or network infrastructure inventories.
- Tune detections against expected network behavior such as gateways, clustering, virtualization, load balancing, or legitimate network appliances that may create unusual IP-to-MAC mappings.
- Correlate endpoint observations with network sensor data when possible, because ARP behavior is local to a broadcast domain and may not be visible from centralized logs alone.
- Confirm coverage on Windows endpoints specifically, since that is the only platform supplied for this analytic.
Mitigation priorities
- Maintain accurate authorized device and network infrastructure inventories so suspicious MAC/IP behavior can be evaluated quickly.
- Prioritize monitoring on sensitive Windows segments where traffic interception or disruption would create higher business impact.
- Review network access controls and segmentation assumptions for areas where unauthorized devices could participate in local ARP traffic.
- Ensure incident response procedures include collection of ARP cache state, local network context, and device authorization evidence during suspected traffic redirection events.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields provide the behavioral focus but no official detection logic, tactics, or relationships. Treat it as guidance for validating ARP-poisoning visibility rather than as a complete detection rule.
Official detection content and relationship context were not provided. No claims can be made about active exploitation, adversary attribution, non-Windows platforms, or guaranteed detection coverage. Local network architecture, asset inventory quality, and available ARP telemetry will determine operational usefulness.
Analytic 1091
Detects anomalous ARP traffic or cache modifications on Windows endpoints that indicate ARP poisoning. Behavioral focus is on multiple IP addresses resolving to a single MAC, or unsolicited ARP replies from unauthorized devices.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5aa52e9b2a10… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1091Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.