ARP.EXE

  • File Path: C:\windows\system32\ARP.EXE
  • Description: TCP/IP Arp Command

Hashes

Type Hash
MD5 D627D0D71F6749F4B819646CB228EB3B
SHA1 B1DF23850C204DCC7C509DE660601D8DF31B9C18
SHA256 5E04F971AEC03D76F981E1A085F18792B751397260E3DC10266C5F200D89A791
SHA384 01EF53A6FEE81BF4B90F02B25EF1BC54CA7D650459F16355D97C871F004177CE515320F622193A547D48692BC3165FE8
SHA512 E4563FA2461307587C9B911F51EF90E4F2BA553BC13596249BEBB7F183D3C97D3CEFCC907FED44BD253E28AED144101F67220E63F8B536FA97D9ADE26949E82E
SSDEEP 384:nl529MPeNVyPGk7KNh60sSQaNZUCXEuUgsZDn3XNNo8zuzMwqWSDmW:nl529rVCauSQaNZ1EukBjzunY

Signature

  • Status: The file C:\windows\system32\ARP.EXE is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: arp.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of ARP.EXE being misused. While ARP.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_multiple_suspicious_cli.yml - arp.exe DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


arp

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays and modifies entries in the Address Resolution Protocol (ARP) cache. The ARP cache contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help information.

Syntax

arp [/a [<inetaddr>] [/n <ifaceaddr>]] [/g [<inetaddr>] [-n <ifaceaddr>]] [/d <inetaddr> [<ifaceaddr>]] [/s <inetaddr> <etheraddr> [<ifaceaddr>]]

Parameters

Parameter Description
[/a [<inetaddr>] [/n <ifaceaddr>] Displays current arp cache tables for all interfaces. The /n parameter is case-sensitive. To display the arp cache entry for a specific IP address, use arp /a with the inetaddr parameter, where inetaddr is an IP address. If inetaddr is not specified, the first applicable interface is used. To display the arp cache table for a specific interface, use the /n ifaceaddr parameter in conjunction with the /a parameter where inetaddr is the IP address assigned to the interface.
[/g [<inetaddr>] [/n <ifaceaddr>] Identical to /a.
[/d <inetaddr> [<ifaceaddr>] Deletes an entry with a specific IP address, where inetaddr is the IP address. To delete an entry in a table for a specific interface, use the ifaceaddr parameter where ifaceaddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of inetaddr.
[/s <inetaddr> <etheraddr> [<ifaceaddr>] Adds a static entry to the arp cache that resolves the IP address inetaddr to the physical address etheraddr. To add a static arp cache entry to the table for a specific interface, use the ifaceaddr parameter where ifaceaddr is an IP address assigned to the interface.
/? Displays help at the command prompt.

Remarks

  • The IP addresses for inetaddr and ifaceaddr are expressed in dotted decimal notation.

  • The physical address for etheraddr consists of six bytes expressed in hexadecimal notation and separated by hyphens (for example, 00-AA-00-4F-2A-9C).

  • Entries added with the /s parameter are static and do not time out of the arp cache. The entries are removed if the TCP/IP protocol is stopped and started. To create permanent static arp cache entries, place the appropriate arp commands in a batch file and use Scheduled Tasks to run the batch file at startup.

Examples

To display the arp cache tables for all interfaces, type:

arp /a

To display the arp cache table for the interface that is assigned the IP address 10.0.0.99, type:

arp /a /n 10.0.0.99

To add a static arp cache entry that resolves the IP address 10.0.0.80 to the physical address 00-AA-00-4F-2A-9C, type:

arp /s 10.0.0.80 00-AA-00-4F-2A-9C

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.