T1557.004 IBM QRadar · QRadar

Detect Evil Twin in IBM QRadar

Adversaries may host fraudulent Wi-Fi access points using the same SSID as a legitimate network to intercept traffic, steal credentials, or deliver malware. Evil Twin attacks exploit the 802.11 protocol's lack of mutual AP authentication — clients connect to whichever access point advertises the correct SSID with the strongest signal, without verifying the AP's identity. Attackers use tools such as hostapd, airbase-ng, create_ap, or Wi-Fi Pineapple devices to clone corporate or public SSIDs. Upon connection, victims are often directed to a fake captive portal for credential harvesting or subjected to man-in-the-middle attacks against unencrypted or SSL-stripped traffic. Attackers may also listen for 802.11 probe requests in which client devices broadcast previously connected network names (Preferred Network Lists), responding with matching SSIDs to automatically attract victim connections. APT28 (Fancy Bear / GRU) operationally deployed Wi-Fi Pineapple devices for Evil Twin attacks during intelligence collection operations against Organization for the Prohibition of Chemical Weapons (OPCW) and other targets, as documented in the October 2018 GRU indictment.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.004 Evil Twin
Canonical reference
https://attack.mitre.org/techniques/T1557/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    e.devicehostname AS hostname,
    e."SSID" AS ssid,
    e."BSSID" AS bssid,
    DATEFORMAT(e.devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
    e.sourceip AS source_ip,
    e.eventid AS event_id,
    agg.unique_bssid_count,
    agg.affected_host_count
FROM events e
INNER JOIN (
    SELECT
        "SSID",
        COUNT(DISTINCT "BSSID") AS unique_bssid_count,
        COUNT(DISTINCT devicehostname) AS affected_host_count
    FROM events
    WHERE LOGSOURCETYPEID = 12
      AND eventid IN (8001, 11005)
      AND "SSID" IS NOT NULL
      AND "SSID" <> ''
      AND "BSSID" IS NOT NULL
      AND "BSSID" <> ''
      AND "BSSID" <> '00:00:00:00:00:00'
    GROUP BY "SSID"
    HAVING COUNT(DISTINCT "BSSID") > 2
    LAST 24 HOURS
) AS agg ON e."SSID" = agg."SSID"
WHERE e.LOGSOURCETYPEID = 12
  AND e.eventid IN (8001, 11005)
  AND e."SSID" IS NOT NULL
  AND e."BSSID" IS NOT NULL
  AND e."BSSID" <> '00:00:00:00:00:00'
ORDER BY agg.unique_bssid_count DESC
LAST 24 HOURS
high severity medium confidence

Detects Evil Twin AP attacks in IBM QRadar by aggregating SSID-to-BSSID cardinality across all Windows endpoints in the past 24 hours. The inner subquery uses COUNT(DISTINCT "BSSID") per SSID to identify networks that have been advertised by more than two unique BSSIDs — the Evil Twin signature. The outer query joins individual connection events against those anomalous SSIDs to surface per-host detail for analyst triage. Requires the QRadar Windows Event Log DSM with WLAN AutoConfig channel configured and fields SSID and BSSID parsed by the DSM into custom event properties or mapped device event payload fields. Event IDs 8001 (connection success) and 11005 (network not found / connection failed) are both included to capture adversary APs that are broadcasting but not yet successfully connecting victims.

Data Sources

IBM QRadar Windows Event Log DSM (LOGSOURCETYPEID 12)Windows WLAN AutoConfig Operational log — Event IDs 8001 and 11005

Required Tables

events

False Positives & Tuning

  • Large enterprise wireless deployments where a single corporate SSID is broadcast by dozens of access points across office floors and buildings — the HAVING COUNT(DISTINCT BSSID) > 2 threshold is nearly always exceeded in production; build a QRadar Reference Table of authorized BSSID-to-SSID mappings and filter them from the inner aggregation query
  • Wireless infrastructure upgrades or AP replacement cycles that temporarily introduce a new BSSID for an existing SSID before the old hardware is decommissioned, causing a transient spike in BSSID count per SSID that resolves within hours
  • Guest or conference room SSIDs managed by third-party hospitality or MSP wireless providers where multiple independently operated BSSIDs may legitimately share a common SSID name across a large venue or campus
Download portable Sigma rule (.yml)

Other platforms for T1557.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Evil Twin AP with hostapd and dnsmasq on Linux

    Expected signal: On victim Windows devices connecting to the rogue AP: WLAN AutoConfig Event ID 8001 in Microsoft-Windows-WLAN-AutoConfig/Operational showing successful connection to 'TargetCorporateSSID' with the attacker NIC's MAC address as BSSID. DHCP lease assignment from 192.168.50.x range (distinct from corporate DHCP). MDE DeviceNetworkInfo records new BSSID and gateway 192.168.50.1 for the SSID. DNS queries from victim directed to 192.168.50.1.

  2. Test 2Karma / Evil Twin Probe Response Attack with airbase-ng

    Expected signal: Victim devices send visible 802.11 probe requests (capture with: tcpdump -i wlan0mon -e 'wlan type mgt subtype probe-req' 2>/dev/null). airbase-ng probe responses visible in tcpdump (subtype probe-resp). Victim device connection generates WLAN AutoConfig Event 8001 with airbase-ng NIC MAC as BSSID. DeviceNetworkInfo in MDE captures at0 MAC as BSSID with SSID 'TargetCorporateSSID'. DHCP logs show 192.168.55.x lease assignment.

  3. Test 3Wi-Fi Pineapple PineAP SSID Broadcast Configuration

    Expected signal: Victim devices: WLAN AutoConfig Event 8001 with Pineapple's BSSID (Hak5 LLC OUI: 02:13:37 or similar; or randomized MAC depending on firmware version). Default gateway assignment from Pineapple's DHCP (typically 172.16.42.x or configured range). DeviceNetworkInfo captures Pineapple MAC as BSSID. Captive portal HTTP POST requests to 172.16.42.1 visible in web proxy logs. EvilPortal logs on Pineapple at /pineapple/modules/EvilPortal/logs/ contain captured credentials.

  4. Test 4Windows Mobile Hotspot Rogue AP (No Special Hardware Required)

    Expected signal: On the attacker device: Microsoft-Windows-WLAN-AutoConfig/Operational events related to hosted network state changes; System Event Log entries for the 'Microsoft Hosted Network Virtual Adapter' appearing. On victim devices that connect: WLAN AutoConfig Event 8001 with attacker device's virtual adapter MAC (Microsoft Virtual WiFi Miniport Adapter OUI) as BSSID. Default gateway 192.168.137.1 (Windows Mobile Hotspot default) appears in DeviceNetworkInfo — distinct from corporate gateway. DeviceNetworkInfo records new BSSID for the corporate-named SSID.

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1557.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1557.003DHCP Spoofing

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1565.002Transmitted Data ManipulationT1056Input CaptureT1056.001KeyloggingT1110.001Password GuessingT1539Steal Web Session CookieT1550.001Application Access TokenT1602Data from Configuration Repository

Same Tactic: Credential Access

Popular Detections