Arp Cache Discovery

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/11/10

Modification Date

2020/11/10

Tactics

[‘TA0007’]

Techniques

[‘T1018’]

Tags

None

Dataset Description

This dataset represents a threat actor using arp to list out the arp cache.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

sh

Adversary View

wardog@UBUNTU5:~$ arp -a | grep -v '^?'
_gateway (192.168.2.1) at 12:34:56:78:9a:bc [ether] on eth0 

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/linux/discovery/host/sh_arp_cache.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Get to know your data

df = spark.sql(
'''
SELECT *
FROM mordorTable
'''
)
df.show(1, vertical=True)