T1557.004

Evil Twin

Adversaries may host fraudulent Wi-Fi access points using the same SSID as a legitimate network to intercept traffic, steal credentials, or deliver malware. Evil Twin attacks exploit the 802.11 protocol's lack of mutual AP authentication — clients connect to whichever access point advertises the correct SSID with the strongest signal, without verifying the AP's identity. Attackers use tools such as hostapd, airbase-ng, create_ap, or Wi-Fi Pineapple devices to clone corporate or public SSIDs. Upon connection, victims are often directed to a fake captive portal for credential harvesting or subjected to man-in-the-middle attacks against unencrypted or SSL-stripped traffic. Attackers may also listen for 802.11 probe requests in which client devices broadcast previously connected network names (Preferred Network Lists), responding with matching SSIDs to automatically attract victim connections. APT28 (Fancy Bear / GRU) operationally deployed Wi-Fi Pineapple devices for Evil Twin attacks during intelligence collection operations against Organization for the Prohibition of Chemical Weapons (OPCW) and other targets, as documented in the October 2018 GRU indictment.

Microsoft Sentinel / Defender

kusto

// Evil Twin Detection via SSID/BSSID Anomaly Analysis
// Requires Microsoft Defender for Endpoint (MDE) telemetry — DeviceNetworkInfo table
// Detects the same SSID being advertised by multiple distinct BSSIDs across enrolled endpoints
// Legitimate enterprise AP clusters have a known, bounded set of BSSIDs per SSID;
// an Evil Twin introduces a new, unauthorized BSSID advertising the same corporate SSID
let TimeWindow = 24h;
let BSSIDThreshold = 2; // Tune based on your wireless infrastructure AP count per SSID
let CorporateSSIDPatterns = dynamic(["corp", "office", "employee", "secure", "work", "hq", "internal", "guest", "wireless"]);
// Step 1: Map all SSID -> BSSID observations across all enrolled devices in the time window
let SSIDBSSIDMap =
    DeviceNetworkInfo
    | where Timestamp > ago(TimeWindow)
    | extend ParsedNetworks = parse_json(ConnectedNetworks)
    | mv-expand Network = ParsedNetworks
    | extend
        SSID       = tostring(Network.SSID),
        BSSID      = tostring(Network.BSSID),
        AuthType   = tostring(Network.AuthenticationType),
        CipherType = tostring(Network.CipherType)
    | where SSID != "" and BSSID != "" and BSSID != "00:00:00:00:00:00"
    | where SSID has_any (CorporateSSIDPatterns)
    | summarize
        UniqueBSSIDs  = make_set(BSSID),
        BSSIDCount    = dcount(BSSID),
        AffectedDevices = make_set(DeviceName),
        DeviceCount   = dcount(DeviceName),
        AuthTypes     = make_set(AuthType),
        CipherTypes   = make_set(CipherType),
        FirstSeen     = min(Timestamp),
        LastSeen      = max(Timestamp)
      by SSID
    | where BSSIDCount > BSSIDThreshold;
// Step 2: Join back to individual device connections for analyst triage
DeviceNetworkInfo
| where Timestamp > ago(TimeWindow)
| extend ParsedNetworks = parse_json(ConnectedNetworks)
| mv-expand Network = ParsedNetworks
| extend
    SSID     = tostring(Network.SSID),
    BSSID    = tostring(Network.BSSID),
    AuthType = tostring(Network.AuthenticationType)
| where SSID != "" and BSSID != ""
| join kind=inner SSIDBSSIDMap on SSID
| project
    Timestamp,
    DeviceName,
    SSID,
    ConnectedBSSID    = BSSID,
    AllObservedBSSIDs = UniqueBSSIDs,
    TotalBSSIDCount   = BSSIDCount,
    TotalAffectedDevices = DeviceCount,
    AuthType,
    AuthTypesObserved = AuthTypes,
    CipherTypesObserved = CipherTypes,
    FirstSeen,
    LastSeen
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Connection Creation Microsoft Defender for Endpoint — DeviceNetworkInfo

Required Tables

DeviceNetworkInfo

False Positives

Enterprise wireless networks with band steering where the same physical AP serves 2.4GHz, 5GHz, and 6GHz (Wi-Fi 6E) bands — each radio has a distinct BSSID for the same SSID, legitimately producing 2-3 BSSIDs per AP
Mesh Wi-Fi deployments (Cisco Meraki, Ubiquiti UniFi, Aruba Instant) where each mesh node has a unique BSSID for the same SSID — large campus environments with dozens of APs generate very high BSSID counts
Wireless LAN controllers using roaming optimization (802.11r Fast BSS Transition) that may create transient BSSIDs during roaming handoffs
Wi-Fi repeaters and range extenders rebroadcasting the same SSID with a different (self-assigned) BSSID
Guest Wi-Fi VLAN segmentation where the same SSID is broadcast on separate VLANs by different AP radios, each with a unique BSSID

Splunk

spl

| tstats count WHERE index=wineventlog sourcetype="WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational" EventCode=8001 BY _time, host, EventCode
| table _time, host, EventCode
```

```spl
(index=wineventlog OR index=windows)
sourcetype="WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational"
(EventCode=8001 OR EventCode=11005)
| rex field=Message "(?ms)SSID\s*:\s*(?<ssid>[^\r\n]+)"
| rex field=Message "(?ms)BSSID\s*:\s*(?<bssid>[0-9a-fA-F:]{17})"
| rex field=Message "(?ms)Authentication\s+algorithm\s*:\s*(?<auth_algo>[^\r\n]+)"
| rex field=Message "(?ms)Cipher\s*:\s*(?<cipher>[^\r\n]+)"
| where isnotnull(ssid) AND len(ssid) > 0
| eval bssid=lower(trim(bssid))
| eval ssid=trim(ssid)
| eval auth_algo=lower(trim(auth_algo))
| stats
    values(bssid)    as observed_bssids,
    dc(bssid)        as unique_bssid_count,
    values(host)     as connected_hosts,
    dc(host)         as host_count,
    earliest(_time)  as first_seen,
    latest(_time)    as last_seen,
    values(auth_algo) as auth_algorithms,
    values(cipher)   as ciphers
  by ssid
| where unique_bssid_count > 2
| eval evil_twin_risk=case(
    unique_bssid_count > 5, "high",
    unique_bssid_count > 3, "medium",
    true(), "low"
  )
| eval alert_detail="SSID '" . ssid . "' observed with " . unique_bssid_count . " distinct BSSIDs across " . host_count . " hosts — potential Evil Twin AP"
| table first_seen, ssid, unique_bssid_count, observed_bssids, host_count, connected_hosts, auth_algorithms, ciphers, evil_twin_risk, alert_detail
| sort - unique_bssid_count

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Windows Event Log: Microsoft-Windows-WLAN-AutoConfig/Operational Event ID 8001 Windows Event Log: Microsoft-Windows-WLAN-AutoConfig/Operational Event ID 11005

Required Sourcetypes

WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational

False Positives

Large campus environments with many physical access points — each has a unique BSSID for the same SSID; tune unique_bssid_count threshold based on actual AP count from wireless controller inventory
Band steering in enterprise APs producing multiple BSSIDs per physical device (one for each radio: 2.4GHz, 5GHz, 6GHz)
Wireless mesh networks where every node has a distinct BSSID for the same SSID across building coverage areas
Wi-Fi repeater or extender devices adding additional BSSIDs to extend an existing corporate network
Conference or event spaces where temporary APs are deployed with the same corporate SSID under an IT-approved expansion

Elastic Security (EQL)

eql

sequence by host.name, winlog.event_data.SSID with maxspan=1h
  [any where event.provider == "Microsoft-Windows-WLAN-AutoConfig" and
   event.code == "8001" and
   winlog.event_data.BSSID != null and
   winlog.event_data.BSSID != "00:00:00:00:00:00" and
   (winlog.event_data.SSID like "*corp*" or
    winlog.event_data.SSID like "*office*" or
    winlog.event_data.SSID like "*employee*" or
    winlog.event_data.SSID like "*secure*" or
    winlog.event_data.SSID like "*work*" or
    winlog.event_data.SSID like "*hq*" or
    winlog.event_data.SSID like "*internal*" or
    winlog.event_data.SSID like "*guest*" or
    winlog.event_data.SSID like "*wireless*")] as first_connect
  [any where event.provider == "Microsoft-Windows-WLAN-AutoConfig" and
   event.code == "8001" and
   winlog.event_data.BSSID != null and
   winlog.event_data.BSSID != "00:00:00:00:00:00" and
   winlog.event_data.BSSID != first_connect.winlog.event_data.BSSID]

high severity medium confidence

Data Sources

Windows WLAN AutoConfig Operational log (Microsoft-Windows-WLAN-AutoConfig/Operational) Winlogbeat or Elastic Agent Windows Event Log integration

Required Tables

logs-windows.wineventlog-* winlogbeat-*

False Positives

Legitimate enterprise wireless infrastructure with multiple APs sharing the same SSID for seamless roaming — each physical AP has a unique BSSID, so a roaming laptop connecting to a closer AP after moving between floors or buildings fires this sequence rule; whitelist known authorized BSSIDs using an Elastic value list and add a NOT condition
Wireless controller-managed networks using virtual BSSIDs or band-steering that present different BSSIDs per radio band (2.4 GHz vs 5 GHz vs 6 GHz) under the same SSID, causing sequential BSSID changes when a client is steered between bands on the same physical AP
Access point firmware upgrades or hardware replacements that change the BSSID of an existing AP while retaining the same SSID, producing a one-time BSSID change event that matches the sequence pattern

IBM QRadar (AQL)

sql

SELECT
    e.devicehostname AS hostname,
    e."SSID" AS ssid,
    e."BSSID" AS bssid,
    DATEFORMAT(e.devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
    e.sourceip AS source_ip,
    e.eventid AS event_id,
    agg.unique_bssid_count,
    agg.affected_host_count
FROM events e
INNER JOIN (
    SELECT
        "SSID",
        COUNT(DISTINCT "BSSID") AS unique_bssid_count,
        COUNT(DISTINCT devicehostname) AS affected_host_count
    FROM events
    WHERE LOGSOURCETYPEID = 12
      AND eventid IN (8001, 11005)
      AND "SSID" IS NOT NULL
      AND "SSID" <> ''
      AND "BSSID" IS NOT NULL
      AND "BSSID" <> ''
      AND "BSSID" <> '00:00:00:00:00:00'
    GROUP BY "SSID"
    HAVING COUNT(DISTINCT "BSSID") > 2
    LAST 24 HOURS
) AS agg ON e."SSID" = agg."SSID"
WHERE e.LOGSOURCETYPEID = 12
  AND e.eventid IN (8001, 11005)
  AND e."SSID" IS NOT NULL
  AND e."BSSID" IS NOT NULL
  AND e."BSSID" <> '00:00:00:00:00:00'
ORDER BY agg.unique_bssid_count DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar Windows Event Log DSM (LOGSOURCETYPEID 12) Windows WLAN AutoConfig Operational log — Event IDs 8001 and 11005

Required Tables

events

False Positives

Large enterprise wireless deployments where a single corporate SSID is broadcast by dozens of access points across office floors and buildings — the HAVING COUNT(DISTINCT BSSID) > 2 threshold is nearly always exceeded in production; build a QRadar Reference Table of authorized BSSID-to-SSID mappings and filter them from the inner aggregation query
Wireless infrastructure upgrades or AP replacement cycles that temporarily introduce a new BSSID for an existing SSID before the old hardware is decommissioned, causing a transient spike in BSSID count per SSID that resolves within hours
Guest or conference room SSIDs managed by third-party hospitality or MSP wireless providers where multiple independently operated BSSIDs may legitimately share a common SSID name across a large venue or campus

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*wineventlog* OR _sourceCategory=*wlan*)
| where _raw matches /Microsoft-Windows-WLAN-AutoConfig/
| where _raw matches /EventID[=: ]+(?:8001|11005)|EventCode[=: ]+(?:8001|11005)/
| parse regex field=_raw "SSID\s*:\s*(?<ssid>[^\r\n<]+)"
| parse regex field=_raw "BSSID\s*:\s*(?<bssid>[0-9a-fA-F:]{17})"
| parse regex field=_raw "Authentication\s+algorithm\s*:\s*(?<auth_algo>[^\r\n<]+)"
| where !isEmpty(ssid) AND !isEmpty(bssid)
| where bssid != "00:00:00:00:00:00"
| where ssid matches /(?i)(corp|office|employee|secure|work|hq|internal|guest|wireless)/
| toLowerCase(bssid) as bssid
| trim(ssid) as ssid
| trim(auth_algo) as auth_algo
| count_distinct(bssid) as unique_bssid_count,
  values(bssid) as observed_bssids,
  count_distinct(_sourceHost) as host_count,
  values(_sourceHost) as affected_hosts,
  values(auth_algo) as auth_algorithms,
  min(_messageTime) as first_seen,
  max(_messageTime) as last_seen
  by ssid
| where unique_bssid_count > 2
| if(unique_bssid_count > 5, "HIGH", if(unique_bssid_count > 3, "MEDIUM", "LOW")) as risk_level
| concat("SSID '", ssid, "' observed with ", tostring(unique_bssid_count), " distinct BSSIDs across ", tostring(host_count), " hosts — potential Evil Twin AP") as alert_summary
| fields first_seen, last_seen, ssid, unique_bssid_count, observed_bssids, host_count, affected_hosts, auth_algorithms, risk_level, alert_summary
| sort by unique_bssid_count desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector — Windows Event Log source Windows WLAN AutoConfig Operational channel (Microsoft-Windows-WLAN-AutoConfig/Operational) Event IDs 8001, 11005

Required Tables

Windows WLAN AutoConfig Operational log source configured in Sumo Logic

False Positives

Enterprise wireless networks with dense AP coverage broadcasting a single corporate SSID — a large campus deployment may legitimately have 10–50+ BSSIDs per SSID; tune the unique_bssid_count threshold significantly higher or switch to anomaly detection against a baseline count per SSID established during a clean period
Cloud-managed wireless controllers (Cisco Meraki, Aruba Central, Juniper Mist) that use separate virtual BSSIDs per radio band (2.4 GHz, 5 GHz, 6 GHz) under the same SSID name, tripling the expected BSSID count relative to physical AP count without any adversarial activity
Remote employees or travelers connecting to hotel, airport, or co-working space Wi-Fi networks whose SSIDs match the corporate keyword regex (e.g., 'secure', 'guest', 'wireless') but belong to unrelated infrastructure operated by hospitality providers across many sites

Google Chronicle / SecOps

yaral

rule evil_twin_ssid_multi_bssid {
  meta:
    author = "df00tech"
    description = "Detects Evil Twin AP attack: same corporate SSID advertised by multiple distinct BSSIDs from different hosts within 24h, indicating a rogue AP cloning a legitimate network"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1557.004"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1557/004/"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "Legitimate enterprise APs sharing SSID for roaming; tune BSSID threshold to your AP infrastructure baseline"
    version = "1.0"

  events:
    $e1.metadata.event_type = "NETWORK_CONNECTION"
    $e1.metadata.vendor_name = "Microsoft"
    $e1.network.ssid != ""
    $e1.network.bssid != ""
    $e1.network.bssid != "00:00:00:00:00:00"
    re.regex($e1.network.ssid, `(?i)(corp|office|employee|secure|work|hq|internal|guest|wireless)`)
    $ssid = $e1.network.ssid
    $bssid1 = $e1.network.bssid
    $host1 = $e1.principal.hostname

    $e2.metadata.event_type = "NETWORK_CONNECTION"
    $e2.metadata.vendor_name = "Microsoft"
    $e2.network.ssid = $ssid
    $e2.network.bssid != ""
    $e2.network.bssid != "00:00:00:00:00:00"
    $e2.network.bssid != $bssid1
    $e2.principal.hostname != $host1

  match:
    $ssid over 24h

  condition:
    $e1 and $e2
}

high severity medium confidence

Data Sources

Google Chronicle UDM NETWORK_CONNECTION events Windows WLAN AutoConfig Operational log normalized via Chronicle Windows parser or Bindplane OP agent Endpoint telemetry with UDM network.ssid and network.bssid field population confirmed

Required Tables

UDM events — NETWORK_CONNECTION type with network.ssid and network.bssid populated by parser

False Positives

Enterprise wireless infrastructure with many APs sharing a corporate SSID — different hosts on different floors connecting to their nearest AP each get a unique BSSID, satisfying both the SSID match and BSSID mismatch conditions; create a Chronicle reference list of authorized BSSIDs per SSID and add a NOT $e1.network.bssid in %authorized_bssids condition
Wireless networks using 802.11r fast BSS transition or 802.11k neighbor reports that actively steer clients between BSSIDs, causing UDM NETWORK_CONNECTION events on different hosts to show valid SSID-consistent but BSSID-variable connection patterns that are completely legitimate
Organizational mergers or acquisitions where two companies temporarily operate overlapping SSIDs (e.g., both have a 'corp' or 'guest' network) at shared office locations, creating a period where the same SSID resolves to BSSIDs from two entirely separate wireless infrastructure owners

CrowdStrike LogScale (CQL)

cql

// Evil Twin Detection — SSID/BSSID cardinality anomaly via Windows WLAN AutoConfig events
// Requires Windows Event Log collection for Microsoft-Windows-WLAN-AutoConfig/Operational channel
event.provider = "Microsoft-Windows-WLAN-AutoConfig"
| EventID in (8001, 11005)
| ssid := replace(field=Message, regex="(?ms).*?SSID\\s*:\\s*([^\\r\\n]+).*", replacement="$1")
| bssid := replace(field=Message, regex="(?ms).*?BSSID\\s*:\\s*([0-9a-fA-F:]{17}).*", replacement="$1")
| ssid := trim(ssid)
| bssid := lower(bssid)
| ssid != ""
| bssid != "00:00:00:00:00:00"
| regex(field=ssid, regex="(?i)(corp|office|employee|secure|work|hq|internal|guest|wireless)")
| groupBy(
    [ssid],
    function=[
      count(distinct=bssid, as=unique_bssid_count),
      array(bssid, as=observed_bssids, limit=20),
      count(distinct=ComputerName, as=affected_host_count),
      array(ComputerName, as=affected_hosts, limit=50),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| unique_bssid_count > 2
| evil_twin_risk := if(unique_bssid_count > 5, "HIGH", if(unique_bssid_count > 3, "MEDIUM", "LOW"))
| sort(field=unique_bssid_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike LogScale — Windows Event Log collection (Microsoft-Windows-WLAN-AutoConfig/Operational channel) Falcon sensor policy with Windows Event Log forwarding enabled for WLAN AutoConfig, or third-party log forwarding pipeline to LogScale

Required Tables

Windows WLAN AutoConfig Operational events (EventID 8001, 11005) ingested into LogScale repository

False Positives

Dense enterprise AP deployments broadcasting a single corporate SSID across many access points — a large office with 30 APs sharing one SSID name will produce 30 distinct BSSIDs in the aggregation; baseline the expected BSSID count per SSID during a quiet period and set the threshold to expected-max plus a buffer rather than a static value of 2
Falcon sensor Windows Event Log collection may produce duplicate or malformed event records during log channel buffering or sensor policy changes, causing the regex BSSID extraction to return empty or constant placeholder strings that inflate or deflate the cardinality count artificially
Road warriors and remote employees who work from multiple locations (home office, coffee shop, client site) each with a Wi-Fi network that matches corporate SSID patterns (e.g., a home router named 'homecorp') contribute unique BSSIDs to the aggregation that have no adversarial relevance

Last updated: 2026-04-21 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1557.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB Relay T1557.002ARP Cache Poisoning T1557.003DHCP Spoofing

Evil Twin

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections