| ID | Name |
|---|---|
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
| T1557.002 | ARP Cache Poisoning |
| T1557.003 | DHCP Spoofing |
| T1557.004 | Evil Twin |
Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or Input Capture.[1]
By using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.[2][3] Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.[4] A Wi-Fi Pineapple – a network security auditing and penetration testing tool – may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic.
Similarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.[4] Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network.
Upon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim’s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points.
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 |
APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.[5] |
| ID | Mitigation | Description |
|---|---|---|
| M1031 | Network Intrusion Prevention |
Wireless intrusion prevention systems (WIPS) can identify traffic patterns indicative of adversary-in-the-middle activity and scan for evils twins and rogue access points. |
| M1017 | User Training |
Train users to be suspicious about access points marked as "Open" or "Unsecure" as well as certificate errors. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
Monitor network traffic for suspicious/malicious behavior involving evil twin attacks. Intrusion prevention systems (WIDS) can identify traffic patterns indicative of activity associated with evil twins, rogue access points, and adversary-in-the-middle activity. |
| Network Traffic Flow |
Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing), as well as usage of network management protocols such as enabling DHCP snooping, may be helpful in identifying rogue hardware.[6] Additionally, wireless pentesting hardware is often limited to older |