AN1092: Analytic 1092
Detects suspicious gratuitous ARP responses or inconsistent IP-to-MAC mappings using auditd and packet capture. Behavioral focus is on unsolicited replies overriding legitimate ARP ownership.
Analyst context for executives and security teams
AN1092 is a Linux-focused detection analytic for suspicious gratuitous ARP activity and inconsistent IP-to-MAC mappings. In practical terms, it helps teams spot when a device may be trying to override who “owns” an IP address on a local network segment, which can create risk for traffic integrity, service reliability, and incident response visibility.
Executive priority
This analytic is most relevant where Linux systems operate on shared network segments, including production, administrative, or operational environments. Leaders should treat it as a control-validation question: do we have enough host and packet-level visibility to prove that local address ownership changes are legitimate, and can the SOC distinguish normal network changes from suspicious ARP behavior during an incident?
Technical view
The supplied ATT&CK object specifies Linux, auditd, and packet capture as the basis for detecting unsolicited ARP replies and inconsistent IP-to-MAC mappings. SOC and detection engineering teams should validate whether Linux audit data and network packet evidence are collected from the segments where this behavior matters, then tune logic around gratuitous ARP responses that override expected mappings. Because no ATT&CK tactic, relationship context, or formal detection logic is supplied, local baseline behavior is essential.
Likely telemetry
- Linux auditd records relevant to network configuration or interface activity
- Packet capture or network sensor data showing ARP requests and replies
- Observed IP-to-MAC mapping history from network monitoring tools
- Asset inventory or DHCP/static assignment records for expected IP-to-MAC ownership
- Network segment context identifying where Linux hosts communicate locally
Detection direction
- Validate visibility into ARP traffic on Linux-relevant network segments; endpoint logs alone may not be sufficient.
- Baseline expected gratuitous ARP behavior from legitimate failover, virtualization, container, DHCP, or network maintenance activity.
- Alert on unsolicited ARP replies that change or conflict with known IP-to-MAC ownership, especially when repeated or seen across sensitive segments.
- Correlate packet evidence with asset inventory and assignment records before escalating, to reduce false positives from planned infrastructure changes.
- Document blind spots where packet capture is absent, switched traffic is not visible, or auditd coverage is inconsistent.
Mitigation priorities
- Maintain authoritative asset, IP, and MAC ownership records for critical Linux-connected segments.
- Ensure packet capture or network monitoring exists where local address ownership changes would create material operational risk.
- Harden change-management processes for legitimate network failover or address reassignment so SOC teams can separate expected from suspicious ARP behavior.
- Review Linux auditd coverage and retention for systems where host-side evidence is needed during investigations.
- Use incident response playbooks that include validation of ARP tables, packet evidence, and network segment ownership when inconsistent mappings are observed.
Analyst notes and limits
This is a detection analytic object, not a technique or campaign report. Its value is in validating whether defenders can observe and investigate suspicious ARP ownership changes on Linux-relevant network segments. The object provides no tactic mapping or relationship context, so prioritization should be based on local network criticality and monitoring coverage.
Official detection logic is not provided, and no ATT&CK relationships are supplied. The object supports Linux, auditd, and packet capture only; it does not justify claims about other platforms, specific adversaries, active exploitation, or guaranteed detection outcomes.
Analytic 1092
Detects suspicious gratuitous ARP responses or inconsistent IP-to-MAC mappings using auditd and packet capture. Behavioral focus is on unsolicited replies overriding legitimate ARP ownership.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4d8711efa0ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1092Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.