T1557.004 Microsoft Sentinel · KQL

Detect Evil Twin in Microsoft Sentinel

Adversaries may host fraudulent Wi-Fi access points using the same SSID as a legitimate network to intercept traffic, steal credentials, or deliver malware. Evil Twin attacks exploit the 802.11 protocol's lack of mutual AP authentication — clients connect to whichever access point advertises the correct SSID with the strongest signal, without verifying the AP's identity. Attackers use tools such as hostapd, airbase-ng, create_ap, or Wi-Fi Pineapple devices to clone corporate or public SSIDs. Upon connection, victims are often directed to a fake captive portal for credential harvesting or subjected to man-in-the-middle attacks against unencrypted or SSL-stripped traffic. Attackers may also listen for 802.11 probe requests in which client devices broadcast previously connected network names (Preferred Network Lists), responding with matching SSIDs to automatically attract victim connections. APT28 (Fancy Bear / GRU) operationally deployed Wi-Fi Pineapple devices for Evil Twin attacks during intelligence collection operations against Organization for the Prohibition of Chemical Weapons (OPCW) and other targets, as documented in the October 2018 GRU indictment.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.004 Evil Twin
Canonical reference
https://attack.mitre.org/techniques/T1557/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Evil Twin Detection via SSID/BSSID Anomaly Analysis
// Requires Microsoft Defender for Endpoint (MDE) telemetry — DeviceNetworkInfo table
// Detects the same SSID being advertised by multiple distinct BSSIDs across enrolled endpoints
// Legitimate enterprise AP clusters have a known, bounded set of BSSIDs per SSID;
// an Evil Twin introduces a new, unauthorized BSSID advertising the same corporate SSID
let TimeWindow = 24h;
let BSSIDThreshold = 2; // Tune based on your wireless infrastructure AP count per SSID
let CorporateSSIDPatterns = dynamic(["corp", "office", "employee", "secure", "work", "hq", "internal", "guest", "wireless"]);
// Step 1: Map all SSID -> BSSID observations across all enrolled devices in the time window
let SSIDBSSIDMap =
    DeviceNetworkInfo
    | where Timestamp > ago(TimeWindow)
    | extend ParsedNetworks = parse_json(ConnectedNetworks)
    | mv-expand Network = ParsedNetworks
    | extend
        SSID       = tostring(Network.SSID),
        BSSID      = tostring(Network.BSSID),
        AuthType   = tostring(Network.AuthenticationType),
        CipherType = tostring(Network.CipherType)
    | where SSID != "" and BSSID != "" and BSSID != "00:00:00:00:00:00"
    | where SSID has_any (CorporateSSIDPatterns)
    | summarize
        UniqueBSSIDs  = make_set(BSSID),
        BSSIDCount    = dcount(BSSID),
        AffectedDevices = make_set(DeviceName),
        DeviceCount   = dcount(DeviceName),
        AuthTypes     = make_set(AuthType),
        CipherTypes   = make_set(CipherType),
        FirstSeen     = min(Timestamp),
        LastSeen      = max(Timestamp)
      by SSID
    | where BSSIDCount > BSSIDThreshold;
// Step 2: Join back to individual device connections for analyst triage
DeviceNetworkInfo
| where Timestamp > ago(TimeWindow)
| extend ParsedNetworks = parse_json(ConnectedNetworks)
| mv-expand Network = ParsedNetworks
| extend
    SSID     = tostring(Network.SSID),
    BSSID    = tostring(Network.BSSID),
    AuthType = tostring(Network.AuthenticationType)
| where SSID != "" and BSSID != ""
| join kind=inner SSIDBSSIDMap on SSID
| project
    Timestamp,
    DeviceName,
    SSID,
    ConnectedBSSID    = BSSID,
    AllObservedBSSIDs = UniqueBSSIDs,
    TotalBSSIDCount   = BSSIDCount,
    TotalAffectedDevices = DeviceCount,
    AuthType,
    AuthTypesObserved = AuthTypes,
    CipherTypesObserved = CipherTypes,
    FirstSeen,
    LastSeen
| sort by Timestamp desc
high severity medium confidence

Detects Evil Twin attacks by analyzing SSID-to-BSSID mappings across Microsoft Defender for Endpoint enrolled devices using the DeviceNetworkInfo table. A legitimate enterprise Wi-Fi deployment has a predictable, bounded set of BSSIDs per SSID (one per physical access point radio). When an Evil Twin is deployed nearby, it introduces a new, unauthorized BSSID advertising the same SSID — creating an anomalous relationship where a single SSID maps to more BSSIDs than the number of deployed access points. The query identifies SSIDs with unexpectedly high BSSID counts and surfaces individual device connections for analyst review. Tune BSSIDThreshold and CorporateSSIDPatterns to match your wireless infrastructure. For highest fidelity, join against a watchlist of authorized BSSIDs exported from your wireless controller.

Data Sources

Network Traffic: Network Traffic FlowNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint — DeviceNetworkInfo

Required Tables

DeviceNetworkInfo

False Positives & Tuning

  • Enterprise wireless networks with band steering where the same physical AP serves 2.4GHz, 5GHz, and 6GHz (Wi-Fi 6E) bands — each radio has a distinct BSSID for the same SSID, legitimately producing 2-3 BSSIDs per AP
  • Mesh Wi-Fi deployments (Cisco Meraki, Ubiquiti UniFi, Aruba Instant) where each mesh node has a unique BSSID for the same SSID — large campus environments with dozens of APs generate very high BSSID counts
  • Wireless LAN controllers using roaming optimization (802.11r Fast BSS Transition) that may create transient BSSIDs during roaming handoffs
  • Wi-Fi repeaters and range extenders rebroadcasting the same SSID with a different (self-assigned) BSSID
  • Guest Wi-Fi VLAN segmentation where the same SSID is broadcast on separate VLANs by different AP radios, each with a unique BSSID
Download portable Sigma rule (.yml)

Other platforms for T1557.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Evil Twin AP with hostapd and dnsmasq on Linux

    Expected signal: On victim Windows devices connecting to the rogue AP: WLAN AutoConfig Event ID 8001 in Microsoft-Windows-WLAN-AutoConfig/Operational showing successful connection to 'TargetCorporateSSID' with the attacker NIC's MAC address as BSSID. DHCP lease assignment from 192.168.50.x range (distinct from corporate DHCP). MDE DeviceNetworkInfo records new BSSID and gateway 192.168.50.1 for the SSID. DNS queries from victim directed to 192.168.50.1.

  2. Test 2Karma / Evil Twin Probe Response Attack with airbase-ng

    Expected signal: Victim devices send visible 802.11 probe requests (capture with: tcpdump -i wlan0mon -e 'wlan type mgt subtype probe-req' 2>/dev/null). airbase-ng probe responses visible in tcpdump (subtype probe-resp). Victim device connection generates WLAN AutoConfig Event 8001 with airbase-ng NIC MAC as BSSID. DeviceNetworkInfo in MDE captures at0 MAC as BSSID with SSID 'TargetCorporateSSID'. DHCP logs show 192.168.55.x lease assignment.

  3. Test 3Wi-Fi Pineapple PineAP SSID Broadcast Configuration

    Expected signal: Victim devices: WLAN AutoConfig Event 8001 with Pineapple's BSSID (Hak5 LLC OUI: 02:13:37 or similar; or randomized MAC depending on firmware version). Default gateway assignment from Pineapple's DHCP (typically 172.16.42.x or configured range). DeviceNetworkInfo captures Pineapple MAC as BSSID. Captive portal HTTP POST requests to 172.16.42.1 visible in web proxy logs. EvilPortal logs on Pineapple at /pineapple/modules/EvilPortal/logs/ contain captured credentials.

  4. Test 4Windows Mobile Hotspot Rogue AP (No Special Hardware Required)

    Expected signal: On the attacker device: Microsoft-Windows-WLAN-AutoConfig/Operational events related to hosted network state changes; System Event Log entries for the 'Microsoft Hosted Network Virtual Adapter' appearing. On victim devices that connect: WLAN AutoConfig Event 8001 with attacker device's virtual adapter MAC (Microsoft Virtual WiFi Miniport Adapter OUI) as BSSID. Default gateway 192.168.137.1 (Windows Mobile Hotspot default) appears in DeviceNetworkInfo — distinct from corporate gateway. DeviceNetworkInfo records new BSSID for the corporate-named SSID.

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1557.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1557.003DHCP Spoofing

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1565.002Transmitted Data ManipulationT1056Input CaptureT1056.001KeyloggingT1110.001Password GuessingT1539Steal Web Session CookieT1550.001Application Access TokenT1602Data from Configuration Repository

Same Tactic: Credential Access

Popular Detections