Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0379: Detect Evil Twin Wi-Fi Access Points on Network Devices

This detection strategy matters because “evil twin” Wi-Fi activity can turn trusted wireless access into a credential-access and data-collection problem. F...

EnterpriseDET0379Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because “evil twin” Wi-Fi activity can turn trusted wireless access into a credential-access and data-collection problem. For executives and security leaders, the key issue is not just rogue Wi-Fi presence; it is whether the organization can prove that network-device monitoring, wireless governance, and incident response processes can identify suspicious access points that impersonate legitimate SSIDs before users and traffic are exposed.

Executive priority

Prioritize this as a wireless trust and business-continuity validation item where Wi-Fi supports workforce access, guest access, branch operations, or sensitive workflows. Leaders should ask whether teams have an accountable inventory of authorized SSIDs and access points, whether network-device telemetry is retained and reviewed, and whether SOC/IR teams have a playbook for suspected impersonation of corporate wireless networks. This can support compliance evidence around access control, monitoring, and incident response readiness, but local evidence is required because the ATT&CK object provides no official detection logic.

Technical view

The supplied ATT&CK relationship says this strategy detects T1557.004, Evil Twin, which is associated with credential-access and collection on Network Devices. SOC and detection teams should validate whether network-device and wireless infrastructure logs can show authorized versus suspicious SSID/BSSID/access point observations, unexpected SSID duplication, changes in observed wireless environment, and user/device association patterns. Because the official detection field is not provided, detection engineering should treat this as a coverage objective rather than a ready-made analytic.

Likely telemetry

  • Wireless controller or network-device logs showing SSIDs, BSSIDs, access point identities, and client associations
  • Authorized wireless access point and SSID inventory
  • Network access control or authentication logs for wireless users/devices
  • Security monitoring alerts or events from managed wireless infrastructure
  • Incident records or helpdesk reports involving suspicious Wi-Fi prompts, captive portals, or unexpected wireless connectivity behavior

Detection direction

  • Validate that legitimate SSIDs and authorized access points are inventoried well enough to distinguish expected wireless infrastructure from suspicious lookalikes.
  • Tune for duplicate or unexpected SSID observations, especially where they appear near sensitive locations or are associated with unusual client connection behavior.
  • Correlate wireless infrastructure events with authentication and endpoint/user activity to assess whether suspected evil twin exposure aligns with credential-access or collection risk.
  • Account for false positives from legitimate network changes, temporary access points, guest networks, lab environments, and neighboring organizations using similar SSID names.
  • Document blind spots where unmanaged locations, remote users, consumer-grade access points, or limited network-device logging prevent reliable observation.

Mitigation priorities

  • Establish and maintain an authoritative inventory of approved SSIDs, access points, and wireless network ownership.
  • Ensure wireless and network-device telemetry is collected, retained, and available to the SOC or managed detection provider.
  • Create an incident response workflow for suspected evil twin activity, including validation, user notification, credential-risk assessment, and containment decisions.
  • Review wireless authentication and access-control practices so that connecting to a lookalike SSID does not easily expose reusable credentials.
  • Use the detection objective as compliance and resilience evidence only after confirming local logging, monitoring, and response procedures are operating.
Analyst notes and limits

The object is a detection strategy, DET0379, named “Detect Evil Twin Wi-Fi Access Points on Network Devices.” The provided relationship links it to ATT&CK technique T1557.004 Evil Twin, with tactics credential-access and collection and platform Network Devices. No official MITRE description or detection text was supplied, so this take focuses on defensive validation questions and telemetry classes rather than specific detection logic.

Platforms and tactics are not specified on the detection-strategy object itself; Network Devices, credential-access, and collection come from the related technique context. The supplied fields do not support claims about active exploitation, attribution, prevalence, specific tools, or guaranteed detection coverage. Local wireless architecture and logging determine practical detectability.

Official MITRE ATT&CK definition

Detect Evil Twin Wi-Fi Access Points on Network Devices

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1557.004 Evil Twin Sub-technique This object detects Evil Twin.
Relationship explorer

All related ATT&CK context

detects · Technique T1557.004: Evil Twin Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
24e3141d022cc3b4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 24e3141d022c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0379
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use