Adversary-in-the-Middle: Evil Twin, Sub-technique T1557.004 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Adversary-in-the-Middle: Evil Twin, Sub-technique T1557.004 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1557">Adversary-in-the-Middle</a></li> <li class="breadcrumb-item">Evil Twin</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Adversary-in-the-Middle:</span> Evil Twin </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Adversary-in-the-Middle (4)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1557/001/" class="subtechnique-table-item" data-subtechnique_id="T1557.001"> T1557.001 </a> </td> <td> <a href="/techniques/T1557/001/" class="subtechnique-table-item" data-subtechnique_id="T1557.001"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </td> </tr> <tr> <td> <a href="/techniques/T1557/002/" class="subtechnique-table-item" data-subtechnique_id="T1557.002"> T1557.002 </a> </td> <td> <a href="/techniques/T1557/002/" class="subtechnique-table-item" data-subtechnique_id="T1557.002"> ARP Cache Poisoning </a> </td> </tr> <tr> <td> <a href="/techniques/T1557/003/" class="subtechnique-table-item" data-subtechnique_id="T1557.003"> T1557.003 </a> </td> <td> <a href="/techniques/T1557/003/" class="subtechnique-table-item" data-subtechnique_id="T1557.003"> DHCP Spoofing </a> </td> </tr> <tr> <td class="active"> T1557.004 </td> <td class="active"> Evil Twin </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> <p>Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as <a href="/techniques/T1040">Network Sniffing</a>, <a href="/techniques/T1565/002">Transmitted Data Manipulation</a>, or <a href="/techniques/T1056">Input Capture</a>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’ WiFi attack on plane. Retrieved September 17, 2024."data-reference="Australia ‘Evil Twin’"><sup><a href="https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p><p>By using a Service Set Identifier (SSID) of a legitimate Wi-Fi network, fraudulent Wi-Fi access points may trick devices or users into connecting to malicious Wi-Fi networks.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent them. Retrieved September 17, 2024."data-reference="Kaspersky evil twin"><sup><a href="https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin Attack. Retrieved September 17, 2024."data-reference="medium evil twin"><sup><a href="https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> Adversaries may provide a stronger signal strength or block access to Wi-Fi access points to coerce or entice victim devices into connecting to malicious networks.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September 17, 2024."data-reference="specter ops evil twin"><sup><a href="https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> A Wi-Fi Pineapple – a network security auditing and penetration testing tool – may be deployed in Evil Twin attacks for ease of use and broader range. Custom certificates may be used in an attempt to intercept HTTPS traffic. </p><p>Similarly, adversaries may also listen for client devices sending probe requests for known or previously connected networks (Preferred Network Lists or PNLs). When a malicious access point receives a probe request, adversaries can respond with the same SSID to imitate the trusted, known network.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September 17, 2024."data-reference="specter ops evil twin"><sup><a href="https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> Victim devices are led to believe the responding access point is from their PNL and initiate a connection to the fraudulent network.</p><p>Upon logging into the malicious Wi-Fi access point, a user may be directed to a fake login page or captive portal webpage to capture the victim’s credentials. Once a user is logged into the fraudulent Wi-Fi network, the adversary may able to monitor network activity, manipulate data, or steal additional credentials. Locations with high concentrations of public Wi-Fi access, such as airports, coffee shops, or libraries, may be targets for adversaries to set up illegitimate Wi-Fi access points. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1557.004 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of: </span> <a href="/techniques/T1557">T1557</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/tactics/TA0006">Credential Access</a>, <a href="/tactics/TA0009">Collection</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Network </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>DeFord L. Smith; Menachem Goldstein </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>17 September 2024 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>11 November 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1557.004" href="/versions/v16/techniques/T1557/004/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1557.004" href="/versions/v16/techniques/T1557/004/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <p><a href="/groups/G0007">APT28</a> has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018"><sup><a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1031"> M1031 </a> </td> <td> <a href="/mitigations/M1031"> Network Intrusion Prevention </a> </td> <td> <p>Wireless intrusion prevention systems (WIPS) can identify traffic patterns indicative of adversary-in-the-middle activity and scan for evils twins and rogue access points.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1017"> M1017 </a> </td> <td> <a href="/mitigations/M1017"> User Training </a> </td> <td> <p>Train users to be suspicious about access points marked as "Open" or "Unsecure" as well as certificate errors. Certificate errors may arise when the application’s certificate does not match the one expected by the host.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0029"> <td> <a href="/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/datasources/DS0029">Network Traffic</a> </td>  <td> <a href="/datasources/DS0029/#Network%20Traffic%20Content">Network Traffic Content</a> </td> <td> <p>Monitor network traffic for suspicious/malicious behavior involving evil twin attacks. Intrusion prevention systems (WIDS) can identify traffic patterns indicative of activity associated with evil twins, rogue access points, and adversary-in-the-middle activity.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing), as well as usage of network management protocols such as enabling DHCP snooping, may be helpful in identifying rogue hardware.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Configuring DHCP Snooping. Retrieved September 17, 2024."data-reference="cisco dhcp snooping"><sup><a href="https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html#wp1120427" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span> Additionally, wireless pentesting hardware is often limited to older <code>802.11</code> protocols such as <code>802.11g</code> or <code>802.11a</code>.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September 17, 2024."data-reference="specter ops evil twin"><sup><a href="https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/" target="_blank"> Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’ WiFi attack on plane. Retrieved September 17, 2024. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks" target="_blank"> AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent them. Retrieved September 17, 2024. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59" target="_blank"> Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin Attack. Retrieved September 17, 2024. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee" target="_blank"> Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September 17, 2024. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank"> Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html#wp1120427" target="_blank"> Cisco. (n.d.). Configuring DHCP Snooping. Retrieved September 17, 2024. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Adversary-in-the-Middle: Evil Twin, Sub-technique T1557.004 - Enterprise | MITRE ATT&CK®