Detect Evil Twin in Sumo Logic CSE
Adversaries may host fraudulent Wi-Fi access points using the same SSID as a legitimate network to intercept traffic, steal credentials, or deliver malware. Evil Twin attacks exploit the 802.11 protocol's lack of mutual AP authentication — clients connect to whichever access point advertises the correct SSID with the strongest signal, without verifying the AP's identity. Attackers use tools such as hostapd, airbase-ng, create_ap, or Wi-Fi Pineapple devices to clone corporate or public SSIDs. Upon connection, victims are often directed to a fake captive portal for credential harvesting or subjected to man-in-the-middle attacks against unencrypted or SSL-stripped traffic. Attackers may also listen for 802.11 probe requests in which client devices broadcast previously connected network names (Preferred Network Lists), responding with matching SSIDs to automatically attract victim connections. APT28 (Fancy Bear / GRU) operationally deployed Wi-Fi Pineapple devices for Evil Twin attacks during intelligence collection operations against Organization for the Prohibition of Chemical Weapons (OPCW) and other targets, as documented in the October 2018 GRU indictment.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.004 Evil Twin
- Canonical reference
- https://attack.mitre.org/techniques/T1557/004/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*wineventlog* OR _sourceCategory=*wlan*)
| where _raw matches /Microsoft-Windows-WLAN-AutoConfig/
| where _raw matches /EventID[=: ]+(?:8001|11005)|EventCode[=: ]+(?:8001|11005)/
| parse regex field=_raw "SSID\s*:\s*(?<ssid>[^\r\n<]+)"
| parse regex field=_raw "BSSID\s*:\s*(?<bssid>[0-9a-fA-F:]{17})"
| parse regex field=_raw "Authentication\s+algorithm\s*:\s*(?<auth_algo>[^\r\n<]+)"
| where !isEmpty(ssid) AND !isEmpty(bssid)
| where bssid != "00:00:00:00:00:00"
| where ssid matches /(?i)(corp|office|employee|secure|work|hq|internal|guest|wireless)/
| toLowerCase(bssid) as bssid
| trim(ssid) as ssid
| trim(auth_algo) as auth_algo
| count_distinct(bssid) as unique_bssid_count,
values(bssid) as observed_bssids,
count_distinct(_sourceHost) as host_count,
values(_sourceHost) as affected_hosts,
values(auth_algo) as auth_algorithms,
min(_messageTime) as first_seen,
max(_messageTime) as last_seen
by ssid
| where unique_bssid_count > 2
| if(unique_bssid_count > 5, "HIGH", if(unique_bssid_count > 3, "MEDIUM", "LOW")) as risk_level
| concat("SSID '", ssid, "' observed with ", tostring(unique_bssid_count), " distinct BSSIDs across ", tostring(host_count), " hosts — potential Evil Twin AP") as alert_summary
| fields first_seen, last_seen, ssid, unique_bssid_count, observed_bssids, host_count, affected_hosts, auth_algorithms, risk_level, alert_summary
| sort by unique_bssid_count descDetects Evil Twin AP attacks in Sumo Logic by parsing Windows WLAN AutoConfig operational events forwarded via the Installed Collector and aggregating unique BSSID observations per corporate-pattern SSID. The query extracts SSID, BSSID, and authentication algorithm fields from raw event message text using regex, normalizes values, and groups by SSID to compute BSSID cardinality across all reporting endpoints. SSIDs with more than two distinct BSSIDs are surfaced as potential Evil Twin incidents with a tiered risk score: HIGH (>5 BSSIDs), MEDIUM (>3), LOW (>2). Covers both successful connections (Event ID 8001) and failed associations (Event ID 11005) to detect adversary APs that are competing for client connections but may not yet be winning the signal strength race. Tune the SSID regex pattern to match your organization's actual corporate network naming conventions.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise wireless networks with dense AP coverage broadcasting a single corporate SSID — a large campus deployment may legitimately have 10–50+ BSSIDs per SSID; tune the unique_bssid_count threshold significantly higher or switch to anomaly detection against a baseline count per SSID established during a clean period
- Cloud-managed wireless controllers (Cisco Meraki, Aruba Central, Juniper Mist) that use separate virtual BSSIDs per radio band (2.4 GHz, 5 GHz, 6 GHz) under the same SSID name, tripling the expected BSSID count relative to physical AP count without any adversarial activity
- Remote employees or travelers connecting to hotel, airport, or co-working space Wi-Fi networks whose SSIDs match the corporate keyword regex (e.g., 'secure', 'guest', 'wireless') but belong to unrelated infrastructure operated by hospitality providers across many sites
Other platforms for T1557.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Evil Twin AP with hostapd and dnsmasq on Linux
Expected signal: On victim Windows devices connecting to the rogue AP: WLAN AutoConfig Event ID 8001 in Microsoft-Windows-WLAN-AutoConfig/Operational showing successful connection to 'TargetCorporateSSID' with the attacker NIC's MAC address as BSSID. DHCP lease assignment from 192.168.50.x range (distinct from corporate DHCP). MDE DeviceNetworkInfo records new BSSID and gateway 192.168.50.1 for the SSID. DNS queries from victim directed to 192.168.50.1.
- Test 2Karma / Evil Twin Probe Response Attack with airbase-ng
Expected signal: Victim devices send visible 802.11 probe requests (capture with: tcpdump -i wlan0mon -e 'wlan type mgt subtype probe-req' 2>/dev/null). airbase-ng probe responses visible in tcpdump (subtype probe-resp). Victim device connection generates WLAN AutoConfig Event 8001 with airbase-ng NIC MAC as BSSID. DeviceNetworkInfo in MDE captures at0 MAC as BSSID with SSID 'TargetCorporateSSID'. DHCP logs show 192.168.55.x lease assignment.
- Test 3Wi-Fi Pineapple PineAP SSID Broadcast Configuration
Expected signal: Victim devices: WLAN AutoConfig Event 8001 with Pineapple's BSSID (Hak5 LLC OUI: 02:13:37 or similar; or randomized MAC depending on firmware version). Default gateway assignment from Pineapple's DHCP (typically 172.16.42.x or configured range). DeviceNetworkInfo captures Pineapple MAC as BSSID. Captive portal HTTP POST requests to 172.16.42.1 visible in web proxy logs. EvilPortal logs on Pineapple at /pineapple/modules/EvilPortal/logs/ contain captured credentials.
- Test 4Windows Mobile Hotspot Rogue AP (No Special Hardware Required)
Expected signal: On the attacker device: Microsoft-Windows-WLAN-AutoConfig/Operational events related to hosted network state changes; System Event Log entries for the 'Microsoft Hosted Network Virtual Adapter' appearing. On victim devices that connect: WLAN AutoConfig Event 8001 with attacker device's virtual adapter MAC (Microsoft Virtual WiFi Miniport Adapter OUI) as BSSID. Default gateway 192.168.137.1 (Windows Mobile Hotspot default) appears in DeviceNetworkInfo — distinct from corporate gateway. DeviceNetworkInfo records new BSSID for the corporate-named SSID.
References (9)
- https://attack.mitre.org/techniques/T1557/004/
- https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
- https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
- https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
- https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
- https://www.justice.gov/opa/press-release/file/1098481/download
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkinfo-table
- https://learn.microsoft.com/en-us/windows/win32/nativewifi/wlan-profileschema-elements
- https://github.com/hak5/wifipineapple-modules
Unlock Pro Content
Get the full detection package for T1557.004 including response playbook, investigation guide, and atomic red team tests.