title: Evil Twin (T1557.004)
id: df00tech-t1557-004
status: experimental
description: "Adversaries may host fraudulent Wi-Fi access points using the same SSID as a legitimate network to intercept traffic, steal credentials, or deliver malware. Evil Twin attacks exploit the 802.11 protocol's lack of mutual AP authentication — clients connect to whichever access point advertises the correct SSID with the strongest signal, without verifying the AP's identity. Attackers use tools such as hostapd, airbase-ng, create_ap, or Wi-Fi Pineapple devices to clone corporate or public SSIDs. Upon connection, victims are often directed to a fake captive portal for credential harvesting or subjected to man-in-the-middle attacks against unencrypted or SSL-stripped traffic. Attackers may also listen for 802.11 probe requests in which client devices broadcast previously connected network names (Preferred Network Lists), responding with matching SSIDs to automatically attract victim connections. APT28 (Fancy Bear / GRU) operationally deployed Wi-Fi Pineapple devices for Evil Twin attacks during intelligence collection operations against Organization for the Prohibition of Chemical Weapons (OPCW) and other targets, as documented in the October 2018 GRU indictment."
references:
  - https://attack.mitre.org/techniques/T1557/004/
  - https://df00tech.com/detections/T1557.004
author: df00tech
date: 2026/04/21
tags:
  - attack.t1557.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise wireless networks with band steering where the same physical AP serves 2.4GHz, 5GHz, and 6GHz (Wi-Fi 6E) bands — each radio has a distinct BSSID for the same SSID, legitimately producing 2-3 BSSIDs per AP"
  - "Mesh Wi-Fi deployments (Cisco Meraki, Ubiquiti UniFi, Aruba Instant) where each mesh node has a unique BSSID for the same SSID — large campus environments with dozens of APs generate very high BSSID counts"
  - Wireless LAN controllers using roaming optimization (802.11r Fast BSS Transition) that may create transient BSSIDs during roaming handoffs
  - Wi-Fi repeaters and range extenders rebroadcasting the same SSID with a different (self-assigned) BSSID
  - "Guest Wi-Fi VLAN segmentation where the same SSID is broadcast on separate VLANs by different AP radios, each with a unique BSSID"
level: high