ARP.EXE

  • File Path: C:\Windows\SysWOW64\ARP.EXE
  • Description: TCP/IP Arp Command

Hashes

Type Hash
MD5 4D3943EDBC9C7E18DC3469A21B30B3CE
SHA1 534A42A7045ED26D11D00721A9542CACA7F2B4EF
SHA256 F9C384659E3C66FB0AF5F18D19A16AE11910AEFD3BEAFE2170F937FD521E0391
SHA384 E58AD4054E6BBF6C22A14A3C548EC5E0E21DCBCF22B776FBF60C86A6B3DCE1794CBE552773CA00CBBF8CF6F676F12B24
SHA512 5D2BB83308C3D0612DE54451B6852C61774DFC05904FA5F4B1160E044CFC5D63151F5821F6A970DBD399C28F75868B0933B7A60B2016DF68EDC40AF85183EFE2
SSDEEP 384:wWh7jqKlUDy3Xm0s5bF5r5ymHBISmmGtjPx5IWS9mWM0:wWh7j7LHmJj/ymHCltjZ5c
IMP 7B5BE93B3EE823A6C20B62AEBA53062F
PESHA1 54A1F3FE82198EC437BD9B135FF0ED1FA223D2CE
PE256 AEE01415E70A49BF64EB532BC782F8D10D9BB48B798D26EC9F8016117FEF95A4

Runtime Data

Usage (stdout):


Displays and modifies the IP-to-Physical address translation tables used by
address resolution protocol (ARP).

ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr] [-v]

  -a            Displays current ARP entries by interrogating the current
                protocol data.  If inet_addr is specified, the IP and Physical
                addresses for only the specified computer are displayed.  If
                more than one network interface uses ARP, entries for each ARP
                table are displayed.
  -g            Same as -a.
  -v            Displays current ARP entries in verbose mode.  All invalid 
                entries and entries on the loop-back interface will be shown.
  inet_addr     Specifies an internet address.
  -N if_addr    Displays the ARP entries for the network interface specified
                by if_addr.
  -d            Deletes the host specified by inet_addr. inet_addr may be 
                wildcarded with * to delete all hosts.
  -s            Adds the host and associates the Internet address inet_addr
                with the Physical address eth_addr.  The Physical address is
                given as 6 hexadecimal bytes separated by hyphens. The entry
                is permanent.
  eth_addr      Specifies a physical address.
  if_addr       If present, this specifies the Internet address of the
                interface whose address translation table should be modified.
                If not present, the first applicable interface will be used.
Example:
  > arp -s 157.55.85.212   00-aa-00-62-c6-09  .... Adds a static entry.
  > arp -a                                    .... Displays the arp table.

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\ARP.EXE

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: arp.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/f9c384659e3c66fb0af5f18d19a16ae11910aefd3beafe2170f937fd521e0391/detection

Possible Misuse

The following table contains possible examples of ARP.EXE being misused. While ARP.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_multiple_suspicious_cli.yml - arp.exe DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

arp

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays and modifies entries in the Address Resolution Protocol (ARP) cache. The ARP cache contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help information.

Syntax

arp [/a [<inetaddr>] [/n <ifaceaddr>]] [/g [<inetaddr>] [-n <ifaceaddr>]] [/d <inetaddr> [<ifaceaddr>]] [/s <inetaddr> <etheraddr> [<ifaceaddr>]]

Parameters

Parameter Description
[/a [<inetaddr>] [/n <ifaceaddr>] Displays current arp cache tables for all interfaces. The /n parameter is case-sensitive. To display the arp cache entry for a specific IP address, use arp /a with the inetaddr parameter, where inetaddr is an IP address. If inetaddr is not specified, the first applicable interface is used. To display the arp cache table for a specific interface, use the /n ifaceaddr parameter in conjunction with the /a parameter where inetaddr is the IP address assigned to the interface.
[/g [<inetaddr>] [/n <ifaceaddr>] Identical to /a.
[/d <inetaddr> [<ifaceaddr>] Deletes an entry with a specific IP address, where inetaddr is the IP address. To delete an entry in a table for a specific interface, use the ifaceaddr parameter where ifaceaddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of inetaddr.
[/s <inetaddr> <etheraddr> [<ifaceaddr>] Adds a static entry to the arp cache that resolves the IP address inetaddr to the physical address etheraddr. To add a static arp cache entry to the table for a specific interface, use the ifaceaddr parameter where ifaceaddr is an IP address assigned to the interface.
/? Displays help at the command prompt.

Remarks

  • The IP addresses for inetaddr and ifaceaddr are expressed in dotted decimal notation.

  • The physical address for etheraddr consists of six bytes expressed in hexadecimal notation and separated by hyphens (for example, 00-AA-00-4F-2A-9C).

  • Entries added with the /s parameter are static and do not time out of the arp cache. The entries are removed if the TCP/IP protocol is stopped and started. To create permanent static arp cache entries, place the appropriate arp commands in a batch file and use Scheduled Tasks to run the batch file at startup.

Examples

To display the arp cache tables for all interfaces, type:

arp /a

To display the arp cache table for the interface that is assigned the IP address 10.0.0.99, type:

arp /a /n 10.0.0.99

To add a static arp cache entry that resolves the IP address 10.0.0.80 to the physical address 00-AA-00-4F-2A-9C, type:

arp /s 10.0.0.80 00-AA-00-4F-2A-9C

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.