**IOC Case: Wi-Fi Impersonation and WPA2/3 Handshake Capture**
**1. Attacker Analogy**

Technical Scenario:
An attacker deploys an "evil twin" Wi-Fi access point with the same SSID (network name) as a legitimate network. Devices auto-connect based on familiar SSID memory. The attacker silently captures the WPA2/WPA3 four-way handshake as the client connects. This handshake contains hashed key material which can be targeted with offline brute-force or dictionary attacks. If successful, the attacker gains the Wi-Fi password and full access to network traffic. Some attackers may follow this by presenting a fake captive portal to steal credentials or deliver malware.

Narrative Analogy:
Imagine a fake coffee shop opens across the street from a trusted local café. The imposter uses the same name, decor, and Wi-Fi name. Loyal customers connect to the network without thinking twice. The fake shop logs their login attempts and payment information. The attackers don’t storm the real café—they let users come to them. In this analogy, the handshake is the login attempt to the fake Wi-Fi. Captive portals are the fake login screens. This isn't a brute-force burglary. It's social mimicry plus technical mimicry—a con, executed in silicon and airwaves.

**2. Source of IOC (Telemetry Origin)**
Wireless packet capture during IR investigation (e.g. PCAP from Wi-Fi controller or local capture interface)

Endpoint agent logs showing Wi-Fi roaming behavior

SIEM logs showing repeated failed connection attempts or DNS requests from unexpected subnets

**3. Triage Framework Declaration**
Triage Type: Host-Based Indicator of Compromise
Standard Tools:

Windows Event Logs – Review WLAN connection events (Event ID 8001, WLAN AutoConfig)

EDR Telemetry – Detect rogue Wi-Fi connection attempts, changes to network adapters

File System / Registry Inspection – Identify stored SSID profiles, wireless profile tampering

Volatile Memory Capture – Reveal connected SSIDs, stored PSKs, and active DNS/malware payloads

Soft Interpretation:
(We begin inside the host: logs tell us what network the device believed it was connecting to, and EDR shows if something unusual happened at the network interface layer. This is a local device tricked by an external impostor—its confusion shows up in subtle forensic details.)

**4. OS Layer Mapping**
Operating System Layer:

Layer 6: Network Communication Context
The attacker manipulates the interface between the host OS and its surrounding wireless environment. This is where the OS maintains active Wi-Fi sessions, stores SSID profiles, and transmits encryption handshakes.

Soft Interpretation:
(This layer is the bridge between the device and the air. The attacker doesn’t need to break the device—they hijack the tunnel just before it’s built. All activity feels normal to the OS until something unexpected happens in memory or post-connection traffic.)

**5. Cross-Layer Interaction** 
Primary Transition: Layer 6 → Layer 1

The attacker uses environmental deception to force the OS to initiate a Layer 6 communication (Wi-Fi join process) with a malicious target.Malicious payloads delivered via layer six (network context) may activate process execution (Layer 1) or establish persistence (Layer 2), depending on how the attacker leverages the connection.

Soft Interpretation:
(The attacker uses the network communication layer as a lure. Once the host takes the bait, the rest of the system may follow—first a session, then a process, then a foothold.)

**6. OSI Layer Relevance**
Primary OSI Layer:

Layer 2 (Data Link) – Wi-Fi MAC address spoofing and SSID mimicry

Layer 7 (Application) – Malicious captive portals, DNS redirection

Layer 4 (Transport) – TLS downgrade attempts during portal injection

Layer 1 (Physical) – Radio signal exploitation and access point broadcasting

Soft Interpretation:
(This is one of the few attacks that spans every layer from 1 through 7. It starts in the air (Layer 1), tricks the trust system (Layer 2), lures the browser (Layer 7), and sometimes dips down to alter secure tunnels (Layer 4). It’s elegant and multi-dimensional.)

**7. Attacker Behavior Interpretation**
The attacker relies on passive trust: user devices are trained to auto-connect to known SSIDs.

They use tools like airbase-ng, hostapd, or Wi-Fi Pineapple to clone legitimate networks.

They capture the WPA handshake with airodump-ng or similar and use hashcat to brute force credentials offline.

If successful, they can either join the legitimate network later or impersonate it forever.

Sometimes they never need the password—just enough trickery to get users into a fake captive portal.

Soft Interpretation:
(The attacker doesn’t need violence—just a disguise. They set the stage, mimic the signal, and let devices walk themselves into the trap.)

**8. Defender Action Summary**
Investigate: SIEM alerts showing failed connection attempts, NetFlow anomalies

Capture: Wireless packet data to confirm spoofed beacon frames and handshake logs

Correlate: EDR and system logs showing device movement or unusual SSID associations

Mitigate: Isolate affected devices, rotate credentials, audit access point configurations

Soft Interpretation:
(We hunt the phantom AP by following digital breadcrumbs. Each breadcrumb is a signal, a failed join, a strange MAC, a missing certificate. We don’t need to fight it—we just need to find it and shut the door.)

**9. Attacker Strategy Notes**
This is a precision psychological and technical attack.

It works best in public spaces, flat networks, or poorly monitored Wi-Fi zones.

It depends on predictable client behavior (auto-connect to known SSIDs).

It's quiet: no exploits, no malware—just redirection and patience.

It can stage future attacks, including credential theft and internal lateral movement.

**10. Who’s Who – Object Role Clarification**
Object	Role in Attack or Defense
Evil Twin AP	Fake access point used to lure client devices
Client Device	Victim endpoint, tricked into initiating connection
WPA2/WPA3 Four-Way Handshake	Encryption process captured and attacked offline
Hashcat	Common brute-force tool used against handshake
Captive Portal	Fake login or malware delivery web page
SIEM	Alerts on unusual connection behavior
EDR	Tracks SSID associations, DNS queries, process anomalies
airodump-ng / airbase-ng	Tools used to clone networks and capture handshake traffic

**11. Addendum – WPA2/WPA3 Four-Way Handshake Summary**
The WPA2/WPA3 4-way handshake is a cryptographic exchange between a client and access point. It includes:

AP sends ANonce (random value) to client.

Client responds with SNonce + MIC (message integrity code) using the pre-shared key (PSK).

AP validates the MIC, sends Group Temporal Key (GTK).

Client sends final ACK. Secure channel established.

If an attacker captures Message 2, they can try offline dictionary attacks using tools like hashcat to guess the PSK. This is possible even without active interaction from the user.



 
