From 643adcd04bcaba037d0d64c846da6e610f315e96 Mon Sep 17 00:00:00 2001 From: privet-username <153746758+privet-username@users.noreply.github.com> Date: Sun, 10 May 2026 17:26:43 +0100 Subject: [PATCH 1/4] Add rule for Win connection to suspicious WiFi --- .../security/win_security_susp_bssid.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/builtin/security/win_security_susp_bssid.yml diff --git a/rules/windows/builtin/security/win_security_susp_bssid.yml b/rules/windows/builtin/security/win_security_susp_bssid.yml new file mode 100644 index 00000000000..4c6e1766465 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_bssid.yml @@ -0,0 +1,37 @@ +title: Connection to Suspicious Wi-Fi Device +id: 0e823ab7-79f9-4b42-bc68-3310f6ae9a50 +status: experimental +description: Detects an authentication attempt to a Wi-Fi network where the Access Point's BSSID matches the OUI of devices commonly used for Rogue AP or Evil Twin attacks (Raspberry Pi, Alfa Network). +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5632 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5632 + - https://standards-oui.ieee.org/oui/oui.txt +author: Vladimir Novikov +date: 2026-05-10 +tags: + - attack.collection + - attack.credential-access + - attack.t1557.004 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5632 + PeerAddress|startswith: + # Raspberry Pi + - '28:CD:C1' + - '2C:CF:67' + - '3A:35:41' + - '88:A2:9E' + - '8C:1F:64' + - 'D8:3A:DD' + - 'DC:A6:32' + - 'E4:5F:01' + - 'F0:40:AF' + # Alfa Network + - '00:C0:CA' + condition: selection +falsepositives: + - Legitimate use of Raspberry Pi or Alfa Network adapters as authorized Access Points. +level: medium From 3542e49d4c9290699ab5b84215c2bae0fa007901 Mon Sep 17 00:00:00 2001 From: privet-username <153746758+privet-username@users.noreply.github.com> Date: Thu, 14 May 2026 15:23:06 +0100 Subject: [PATCH 2/4] Rename rule to follow naming conventions --- ...curity_susp_bssid.yml => win_security_wifi_rogue_ap_bssid.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/security/{win_security_susp_bssid.yml => win_security_wifi_rogue_ap_bssid.yml} (100%) diff --git a/rules/windows/builtin/security/win_security_susp_bssid.yml b/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml similarity index 100% rename from rules/windows/builtin/security/win_security_susp_bssid.yml rename to rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml From 062388cca334fbfba31d2e36b13aa8be405affe9 Mon Sep 17 00:00:00 2001 From: privet-username <153746758+privet-username@users.noreply.github.com> Date: Thu, 14 May 2026 15:29:52 +0100 Subject: [PATCH 3/4] Fix Raspberry Pi OUIs to use specific MA-M and MA-S blocks to prevent FPs --- .../builtin/security/win_security_wifi_rogue_ap_bssid.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml b/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml index 4c6e1766465..cd8622c63d4 100644 --- a/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml +++ b/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml @@ -24,11 +24,11 @@ detection: - '2C:CF:67' - '3A:35:41' - '88:A2:9E' - - '8C:1F:64' + - '8C:1F:64:34:A' - 'D8:3A:DD' - 'DC:A6:32' - 'E4:5F:01' - - 'F0:40:AF' + - 'F0:40:AF:9' # Alfa Network - '00:C0:CA' condition: selection From afb2dd904fc449f9b3d0e5f90ce41f96887d89a1 Mon Sep 17 00:00:00 2001 From: Vladimir <153746758+privet-username@users.noreply.github.com> Date: Sat, 16 May 2026 14:13:50 +0100 Subject: [PATCH 4/4] Apply suggestion from @frack113 Fix event field name Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../builtin/security/win_security_wifi_rogue_ap_bssid.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml b/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml index cd8622c63d4..c42cf5ddcc6 100644 --- a/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml +++ b/rules/windows/builtin/security/win_security_wifi_rogue_ap_bssid.yml @@ -18,7 +18,7 @@ logsource: detection: selection: EventID: 5632 - PeerAddress|startswith: + PeerMac|startswith: # Raspberry Pi - '28:CD:C1' - '2C:CF:67'