Wi-Fi Networks Attack Analysis: T1669 – Rogue Access Point & Evil Twin

by

SIEM Alert Details: Wireless Intrusion Detection

Alert ID: SIEM-WIDS-ROGUEAP-7842
Alert Time: 2024-01-30 14:18:32 EST
Severity: HIGH (85/100)
Source: Aruba Wireless Intrusion Detection System (WIDS) + Splunk Correlation
Rule: “Rogue Access Point with Corporate SSID Spoofing”
MITRE ATT&CK: T1669 – Wi-Fi Networks
Sub-technique: T1669.001 – Evil Twin Attack

Alert Details:

Primary Detection Source: Aruba WIDS Sensor (Location: Building 1, Floor 3)
Secondary Detection: Cisco Identity Services Engine (ISE) RADIUS Anomalies
Tertiary Detection: Endpoint (CrowdStrike) Wireless Connection Events

Alert Triggers:
1. Rogue Access Point Detection:
   - SSID: "Company_Corp_Guest" (Legitimate: "Company_Corp")
   - BSSID: 00:11:22:33:44:55 (Cloned from legitimate AP 00:AA:BB:CC:DD:EE)
   - Channel: 6 (Same as legitimate AP in area)
   - Signal Strength: -45 dBm (Stronger than legitimate AP at -65 dBm)
   - Encryption: WPA2-Personal (vs. Corporate WPA2-Enterprise)
   - Location: 25 feet from Executive Conference Room

2. Authentication Anomalies:
   - Time: 14:15 EST
   - Event: Multiple failed 802.1X authentications followed by successful WPA2-PSK
   - Users: 3 employees observed connecting to rogue AP
   - Device Types: 2 iPhones, 1 Windows laptop

3. Network Behavior Anomalies:
   - Rogue AP performing ARP poisoning attacks
   - DNS hijacking attempts observed
   - SSL stripping detected for HTTPS traffic
   - MAC address spoofing of corporate access points

4. Physical Location Data:
   - GPS Coordinates: 40.7128° N, 74.0060° W (parking lot adjacent to building)
   - Triangulation: Within 30 feet of executive parking spaces
   - Movement: Stationary for 45 minutes, then mobile (vehicle-based)
   - Power Source: Battery/vehicle (no building power draw detected)

Threat Intelligence Context:
- BSSID 00:11:22:33:44:55 associated with Wi-Fi Pineapple devices
- Similar attacks detected at competitor companies last week
- Known APT group "Lazarus" uses Wi-Fi attacks for initial access

Correlated Events:

1. 14:10 EST - Unauthorized wireless device detected (Aruba WIDS)
2. 14:12 EST - SSID spoofing detected (Aruba AirWave)
3. 14:15 EST - First client connection observed (Cisco ISE)
4. 14:16 EST - ARP poisoning detected (Aruba ClearPass)
5. 14:18 EST - SIEM correlation rule triggers

SOC Investigation Process

Phase 1: Alert Validation & Initial Triage (14:18-14:35 EST)

Tools: Aruba AirWave, Cisco ISE, Splunk ES, Ekahau Sidekick

  1. Alert Verification:
    • Confirmed rogue AP detection in Aruba AirWave console
    • Verified signal strength comparison with legitimate APs
    • Checked client connection logs in Cisco ISE
    • Validated physical location via WIDS sensor triangulation
  2. Immediate Containment:
    • Activated Aruba WIPS (Wireless Intrusion Prevention) to contain rogue AP
    • Sent security team to physical location (parking lot)
    • Blocked rogue BSSID at all wireless controllers
    • Sent global alert to all employees via mobile app about rogue Wi-Fi
  3. Initial Assessment:
    • Rogue AP spoofing guest network SSID with stronger signal
    • Targeting executives (near executive parking)
    • Running man-in-the-middle attacks on connected devices

Phase 2: Wireless Forensics (14:35-15:45 EST)

Tools: Wireshark, Kismet, Aircrack-ng, Raspberry Pi for RF capture

  1. RF Spectrum Analysis:
    • Deployed portable spectrum analyzer (Ekahau Sidekick)
    • Captured 2.4GHz and 5GHz spectrum activity
    • Identified rogue AP operating on channel 6 with beacon interval 100ms (vs. 102.4ms standard)
    • Detected deauthentication attacks against legitimate AP
  2. Packet Capture Analysis:
    • Captured wireless traffic using monitor mode adapter
    • Analyzed 802.11 frames:textBeacon frames: SSID “Company_Corp_Guest”, BSSID spoofed Probe responses: Responding to all probe requests EAPOL frames: Capturing WPA2 handshakes ARP packets: Poisoning ARP tables of connected clients
    • Identified attack tools: Airgeddon framework, Bettercap
  3. Attack Technique Analysis:
    • Evil Twin: Perfect replica SSID with stronger signal
    • KARMA Attack: Responding to all probe requests
    • ARP Poisoning: Redirecting traffic through attacker
    • SSL Stripping: Downgrading HTTPS to HTTP
    • Credential Harvesting: Capturing authentication attempts

Phase 3: Endpoint Impact Assessment (15:45-16:30 EST)

Tools: CrowdStrike Falcon, Microsoft Defender for Endpoint, MobileIron MDM

  1. Connected Device Analysis:
    • Identified 3 compromised devices:
      • iPhone 14 Pro (Executive Assistant)
      • iPhone 13 (Marketing Director)
      • Windows 11 Laptop (Finance Analyst)
    • Checked for data exfiltration
    • Reviewed browser histories for suspicious activity
  2. Data Exposure Analysis:
    • Email credentials potentially captured
    • Corporate application logins intercepted
    • Internal network information leaked via ARP
    • No evidence of malware installation
  3. Remediation Actions:
    • Forced password resets for affected users
    • Revoked and reissued certificates
    • Cleared browser caches and certificates
    • Reconfigured Wi-Fi settings on devices

Phase 4: Physical Investigation (16:30-17:15 EST)

Tools: Direction-finding antennas, GPS tracking, Physical security logs

  1. Physical Location Investigation:
    • Security team located vehicle in parking lot:
      • Black SUV with tinted windows
      • Antenna array on roof (Yagi-Uda antennas)
      • Raspberry Pi with wireless cards visible
      • Vehicle fled when approached
    • License plate captured: Partial “XYZ 78”
    • Vehicle description provided to authorities
  2. Equipment Analysis:
    • Based on RF signature: Wi-Fi Pineapple Mark VII
    • Additional equipment: Alfa AWUS036ACH, GPS module
    • Power source: Vehicle battery with inverter
    • Data storage: 1TB SSD for packet capture

Phase 5: Threat Hunting & Scope (17:15-18:00 EST)

Tools: Aruba ClearPass, Splunk Advanced Hunting, Zeek IDS

  1. Network-wide Hunting:splunkindex=wireless (BSSID=00:11:22:33:44:55 OR SSID=”Company_Corp_Guest”) | stats count by _time, client_mac, ssid, signal_strength
    • Found no other rogue APs on premises
    • No evidence of persistent wireless compromise
    • Clean historical logs (first occurrence)
  2. Client Connection Analysis:
    • 7 clients attempted connection
    • 3 successfully connected
    • Average connection time: 8 minutes
    • Data transferred: 45MB total (mostly HTTP traffic)
  3. Internal Network Impact:
    • No successful VPN connections from compromised devices
    • No corporate network breaches via wireless
    • All enterprise applications require VPN (protected)

Phase 6: Containment & Remediation (18:00-19:30 EST)

Tools: Aruba WIPS, Cisco ISE, Group Policy, Mobile Device Management

  1. Immediate Containment:
    • Blocked rogue BSSID at all wireless controllers
    • Implemented BSSID filtering on corporate SSIDs
    • Enabled certificate-based authentication only
    • Deployed wireless packet capture for ongoing monitoring
  2. Technical Controls Enhanced:
    • Implemented 802.1X with certificate authentication for all SSIDs
    • Deployed wireless intrusion prevention system (WIPS)
    • Enabled rogue AP containment features
    • Implemented SSID cloaking for corporate networks
  3. Policy Updates:
    • Updated wireless security policy
    • Implemented regular wireless security assessments
    • Created rogue AP response playbook
    • Enhanced employee training on Wi-Fi security

Phase 7: Prevention & Monitoring (19:30-20:00 EST)

Tools: Aruba AirMatch, Cisco DNA Center, Security Awareness Platform

  1. Detection Improvements:
    • Created SIEM correlation for SSID similarity
    • Implemented wireless behavioral analytics
    • Deployed wireless honeypots in parking areas
    • Enhanced physical security patrols
  2. Security Control Enhancement:
    • Implemented wireless network access control (WNAC)
    • Deployed RF shielding in sensitive areas
    • Enabled continuous wireless monitoring
    • Implemented geofencing for corporate Wi-Fi

Jira Incident Report

Ticket: SOC-2024-030
Summary: T1669 – Evil Twin Rogue Access Point Attack in Executive Parking
Status: RESOLVED
Resolution: MALICIOUS – Wireless Attack Mitigated
Priority: P1 – HIGH
Labels: T1669, wifi-attack, rogue-ap, evil-twin, physical-security, wireless
Components: Wireless-Security, Physical-Security, Incident-Response

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Aruba Wireless Intrusion Detection System (WIDS) + Splunk Correlation.
  • Alert: “Rogue Access Point with Corporate SSID Spoofing”.
  • Location: Building 1 Parking Lot, near Executive Parking.
  • Time: 2024-01-30 14:18 EST (detected), 14:10 EST (first appearance).
  • Technique: MITRE ATT&CK T1669.001 (Evil Twin Attack) via rogue access point.

2. Technical Analysis:

  • Attack Vector: Wi-Fi Pineapple Mark VII device in vehicle-based setup.
  • Attack Chain:
    1. Rogue AP deployed with SSID “Company_Corp_Guest” (spoofing legitimate guest network).
    2. Stronger signal strength (-45dBm vs legitimate -65dBm) attracts clients.
    3. Clients automatically connect due to saved network profiles.
    4. ARP poisoning redirects traffic through attacker.
    5. SSL stripping downgrades HTTPS connections.
    6. Credential harvesting from intercepted traffic.
  • Attack Details:
    • SSID Spoofing: “Company_Corp_Guest” (legitimate: “Company_Corp”)
    • BSSID Spoofing: 00:11:22:33:44:55 (cloned from legitimate AP)
    • Encryption: WPA2-Personal (vs enterprise WPA2-Enterprise)
    • Location: Vehicle in executive parking lot
    • Tools: Wi-Fi Pineapple, Airgeddon framework, Bettercap
  • Impact Assessment:
    • Devices Compromised: 3 (2 iPhones, 1 Windows laptop)
    • Data Exposed: Email credentials, web logins, internal network information
    • Duration: 45 minutes of active attack
    • Lateral Movement: None (contained to wireless layer)

3. Investigation Findings:

  • Timeline Reconstruction:text14:10 EST: Rogue AP first detected by Aruba WIDS 14:12 EST: SSID spoofing confirmed via AirWave 14:15 EST: First client connections observed 14:16 EST: ARP poisoning attacks begin 14:18 EST: SIEM correlation alert triggers 14:20 EST: Security team dispatched to location 14:25 EST: Vehicle flees when approached 14:30 EST: Rogue AP signal disappears (device powered off) 14:35 EST: Forensic investigation begins
  • Indicators of Compromise (IoCs):textWireless Indicators: – Rogue BSSID: 00:11:22:33:44:55 – Spoofed SSID: “Company_Corp_Guest” – Channel: 6 (matching legitimate AP) – Beacon Interval: 100ms (anomalous) Network Indicators: – ARP Poisoning: Spoofed MAC addresses – DNS Hijacking: Redirect to 185.243.112[.]89 – SSL Stripping: HTTP downgrade attacks Physical Indicators: – Vehicle: Black SUV, tinted windows – Antennas: Yagi-Uda array on roof – Equipment: Wi-Fi Pineapple Mark VII – License Plate: Partial “XYZ 78”

4. Containment Actions:

  • Immediate Containment (14:18-14:35 EST):
    • Activated WIPS to contain rogue AP via deauthentication attacks.
    • Blocked rogue BSSID at all wireless controllers.
    • Sent security alert to all employees via mobile app.
    • Dispatched security team to physical location.
  • Forensic Collection (14:35-16:30 EST):
    • Captured RF spectrum data using Ekahau Sidekick.
    • Preserved packet captures from WIDS sensors.
    • Documented physical evidence (photos, license plate).
    • Collected endpoint forensic data from compromised devices.
  • Remediation (16:30-19:30 EST):
    • Forced password resets for affected users.
    • Revoked and reissued digital certificates.
    • Enhanced wireless security controls.
    • Updated physical security procedures.

5. Root Cause Analysis:

  • Primary Cause: Auto-connect feature on employee devices to “saved” networks.
  • Contributing Factors:
    1. Signal Strength: Rogue AP had stronger signal than legitimate AP.
    2. SSID Similarity: “Company_Corp_Guest” vs “Company_Corp” confusion.
    3. Encryption Difference: WPA2-Personal accepted by devices with saved profiles.
    4. Physical Security: Limited patrols in executive parking area.
  • Attack Attribution:
    • TTPs consistent with corporate espionage actors.
    • Equipment sophistication suggests professional operation.
    • Targeting executives indicates specific intelligence gathering.
    • Vehicle-based setup suggests planned, temporary operation.

6. Business Impact:

  • Data Exposure:
    • Email credentials for 3 executives potentially compromised.
    • Internal network topology information captured.
    • Web application logins intercepted.
  • Financial Impact: Minimal direct costs, ~$5,000 in investigation.
  • Reputational Impact: HIGH – Executive communications potentially compromised.
  • Operational Impact: Low – No service disruption.

7. Remediation & Prevention:

Completed Actions:

  • All affected devices cleaned and secured.
  • Rogue AP blocked at wireless infrastructure level.
  • Employee credentials rotated and re-secured.
  • Physical security enhanced in parking areas.

Technical Controls Enhanced:

  • Implemented 802.1X with certificate authentication for all wireless networks.
  • Deployed wireless intrusion prevention system (WIPS) with automatic containment.
  • Enabled BSSID filtering and SSID cloaking for corporate networks.
  • Deployed wireless honeypots in perimeter areas.

Process Improvements:

  • Updated wireless security policy with stricter authentication requirements.
  • Created rogue AP response playbook for SOC team.
  • Implemented regular wireless security assessments.
  • Enhanced employee training on Wi-Fi security risks.

8. Lessons Learned:

  • Wireless Security Gap: Reliance on WPA2-Personal for guest networks.
  • Endpoint Configuration: Auto-connect features create security risk.
  • Physical Security: Parking areas vulnerable to RF-based attacks.
  • Detection Capability: Need faster rogue AP detection and response.

9. Resolution Verification:

  • Technical Verification:
    • No rogue APs detected in ongoing wireless scans.
    • Enhanced authentication preventing unauthorized connections.
    • No evidence of persistent compromise on affected devices.
    • Improved monitoring detecting all wireless anomalies.
  • Process Verification:
    • New wireless security policies implemented and communicated.
    • Employees trained on Wi-Fi security best practices.
    • Physical security patrols increased in vulnerable areas.

10. Conclusion:

This Evil Twin attack demonstrated sophisticated wireless exploitation targeting executive communications. While the attackers successfully intercepted some data, rapid detection and response limited the exposure. The incident revealed significant gaps in our wireless security posture, particularly around guest network authentication and physical security. The implemented controls now provide robust protection against similar attacks.

Closure Rationale: All compromised systems remediated, wireless security controls enhanced, monitoring improved, and no evidence of persistent threat remains.

Follow-up Actions:

  1. Complete wireless penetration test (ETA: 2 weeks)
  2. Implement wireless security monitoring dashboard (ETA: 1 month)
  3. Conduct tabletop exercise focusing on wireless attacks (ETA: 2 weeks)

Analyst: [Walter White], Senior SOC Analyst – Wireless Security Team
Date: 2024-01-30 20:30 EST

Leave a Comment