Arp Cache Discovery¶

Metadata¶


Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/11/10
Modification Date	2020/11/10
Tactics	[‘TA0007’]
Techniques	[‘T1018’]
Tags	None

Dataset Description¶

This dataset represents a threat actor using arp to list out the arp cache.

Datasets Downloads¶

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/linux/discovery/host/sh_arp_cache.zip

Notebooks¶

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan¶

Environment	Tool Type	Module
Lab VM	Manual	sh

Adversary View¶

wardog@UBUNTU5:~$ arp -a | grep -v '^?'
_gateway (192.168.2.1) at 12:34:56:78:9a:bc [ether] on eth0 

Explore Mordor Dataset¶

Initialize Analytics Engine¶

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File¶

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/linux/discovery/host/sh_arp_cache.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Get to know your data¶

df = spark.sql(
'''
SELECT *
FROM mordorTable
'''
)
df.show(1, vertical=True)

Discovery MAC