Skip to content

DET0379 Detect Evil Twin Wi-Fi Access Points on Network Devices

Item Value
ID DET0379
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1557.004 (Evil Twin)

Analytics

Network Devices

AN1069

Detects rogue Wi-Fi access points broadcasting the same SSID as legitimate APs with stronger signal strength, unexpected MAC/BSSID values, or inconsistent encryption settings. Correlates authentication attempts, captive portal redirections, and anomalous traffic flows through unauthorized APs.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) WLANLogs:Association Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type
Network Traffic Content (DC0085) NSM:Flow Probe responses from unauthorized APs responding to client probe requests
Application Log Content (DC0038) networkdevice:syslog Failed authentication requests redirected to non-standard portals
Mutable Elements
Field Description
KnownSSIDs Baseline of authorized SSIDs; deviations may indicate rogue AP.
AllowedBSSIDs Whitelist of BSSID/MAC addresses mapped to corporate SSIDs.
SignalStrengthThreshold Used to flag unusually strong signals from unexpected APs.
CaptivePortalDomains Trusted login domains; unrecognized portals may be malicious.