What starting position does this attack require?

The first step is Capture creds via portal page (T1078) — a initial access primitive. Assumed environment: target SSID is open / WPA2-PSK and devices auto-reconnect.

What is the final impact of this kill-chain?

The final step lands on Deauth clients off the legitimate AP (WIFI-DEAUTH), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Evil twin + captive portal → credential harvest

Spoof the corporate SSID with a stronger signal and a captive portal that looks like the company AD login. Auto-connecting clients submit creds to the attacker page.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Capture creds via portal page

T1078 · Valid Accounts

Credential Access

Validate creds against domain

W-AUTH-STUFFING · Credential Stuffing

Reconnaissance

Enumerate target SSID + clients

N-ARP-RECON · ARP Sweep / LAN Discovery

Initial Access

Spin up rogue AP, same SSID, captive portal

WIFI-EVIL-TWIN · Evil Twin / Rogue AP

Impact

Deauth clients off the legitimate AP

WIFI-DEAUTH · Deauthentication DoS

§ Context

Assumed environment: target SSID is open / WPA2-PSK and devices auto-reconnect. Attacker is in physical range with high-gain antenna + ESP32-class device or laptop.

§ Steps

01
Capture creds via portal pageInitial Access
T1078— Valid Accounts
02
Validate creds against domainCredential Access
W-AUTH-STUFFING— Credential Stuffing
03
Enumerate target SSID + clientsReconnaissance
N-ARP-RECON— ARP Sweep / LAN Discovery
04
Spin up rogue AP, same SSID, captive portalInitial Access
WIFI-EVIL-TWIN— Evil Twin / Rogue AP
05
Deauth clients off the legitimate APImpact
WIFI-DEAUTH— Deauthentication DoS

§ References

T1078Valid Accounts

§ Frequently asked

What is the "Evil twin + captive portal → credential harvest" attack path?: Spoof the corporate SSID with a stronger signal and a captive portal that looks like the company AD login. Auto-connecting clients submit creds to the attacker page. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Capture creds via portal page (T1078) — a initial access primitive. Assumed environment: target SSID is open / WPA2-PSK and devices auto-reconnect.
What is the final impact of this kill-chain?: The final step lands on Deauth clients off the legitimate AP (WIFI-DEAUTH), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Evil twin + captive portal → credential harvest

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

WPA2-PSK handshake capture + crack → LAN access

Leaked legacy VPN credential → ransomware (Colonial-class)

MFA fatigue / prompt-bombing → M365 admin compromise

802.1X NAC bypass via printer MAC spoof