What starting position does this attack require?

The first step is After-hours entry to target area (T1078) — a initial access primitive. Assumed environment: target uses HID 125 kHz Prox or iCLASS legacy cards (no DESFire / SEOS).

What is the final impact of this kill-chain?

The final step lands on Long-range read at brush-pass distance (SE-RFID-CLONE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

RFID badge clone → after-hours access

Brush-pass a target employee with a long-range RFID reader, capture their HID/iCLASS card data, clone to a blank — return after hours to badge into restricted floors.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

After-hours entry to target area

T1078 · Valid Accounts

Credential Access

Drop in-room implant (rogue AP / cellular)

N-DHCP-ROGUE · Rogue DHCP Server

Initial Access

Identify card type + reader location

SE-PRETEXT · Pretexting

Initial Access

Confirm clone at a non-monitored door

SE-TAILGATE · Tailgating / Piggybacking

Initial Access

Write captured data to blank

SE-RFID-CLONE · RFID / Badge Cloning

Initial Access

Long-range read at brush-pass distance

SE-RFID-CLONE · RFID / Badge Cloning

§ Context

Assumed environment: target uses HID 125 kHz Prox or iCLASS legacy cards (no DESFire / SEOS). Physical access to a public-facing area (lobby, coffee shop, conference) where employees congregate.

§ Steps

01
After-hours entry to target areaInitial Access
T1078— Valid Accounts
02
Drop in-room implant (rogue AP / cellular)Credential Access
N-DHCP-ROGUE— Rogue DHCP Server
03
Identify card type + reader locationInitial Access
SE-PRETEXT— Pretexting
04
Confirm clone at a non-monitored doorInitial Access
SE-TAILGATE— Tailgating / Piggybacking
05
Write captured data to blankInitial Access
SE-RFID-CLONE— RFID / Badge Cloning
06
Long-range read at brush-pass distanceInitial Access
SE-RFID-CLONE— RFID / Badge Cloning

§ References

T1078Valid Accounts

§ Frequently asked

What is the "RFID badge clone → after-hours access" attack path?: Brush-pass a target employee with a long-range RFID reader, capture their HID/iCLASS card data, clone to a blank — return after hours to badge into restricted floors. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is After-hours entry to target area (T1078) — a initial access primitive. Assumed environment: target uses HID 125 kHz Prox or iCLASS legacy cards (no DESFire / SEOS).
What is the final impact of this kill-chain?: The final step lands on Long-range read at brush-pass distance (SE-RFID-CLONE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

RFID badge clone → after-hours access

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Apple Pay Express Transit relay → high-value contactless fraud

Mifare Classic crack → cloned hotel key

Vishing → helpdesk MFA reset → account takeover

Rogue DHCP → DNS poisoning → MITM