Skip to content

DET0536 Detection Strategy for Wi-Fi Networks

Item Value
ID DET0536
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1669 (Wi-Fi Networks)

Analytics

Windows

AN1476

Detects anomalous wireless connections such as unexpected SSID associations, failed or repeated authentication attempts, and connections outside of known geofenced networks. Defenders should monitor wireless connection logs and event codes for network discovery, authentication, and association events.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Microsoft-Windows-WLAN-AutoConfig EventCode=8001, 8002, 8003
User Account Authentication (DC0002) WinEventLog:Security EventCode=4776, 4625
Mutable Elements
Field Description
KnownSSIDList Defines approved Wi-Fi SSIDs for the environment; deviations may indicate malicious connection attempts.
GeoLocationContext Correlates expected physical location of systems with observed Wi-Fi connections to detect anomalies.

Linux

AN1477

Detects unauthorized wireless associations by monitoring wpa_supplicant logs, NetworkManager events, and system calls related to interface state changes. Anomalies include repeated association failures, new SSIDs outside baselined values, and rogue AP connections.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) linux:syslog New Wi-Fi connection established or repeated association failures
Network Traffic Flow (DC0078) auditd:SYSCALL ioctl: Changes to wireless network interfaces (up, down, reassociate)
Mutable Elements
Field Description
AllowedSSIDRegex Regex-based whitelist of corporate SSIDs; anomalous matches indicate suspicious activity.
RetryThreshold Number of failed association attempts allowed before triggering detection.

macOS

AN1478

Detects unauthorized Wi-Fi associations and SSID scanning activity using unified logs and airport command telemetry. Anomalies include rapid SSID switching, connections to unapproved SSIDs, or repeated authentication failures.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) macos:unifiedlog Association and authentication events including failures and new SSIDs
Network Traffic Flow (DC0078) macos:osquery query: Historical list of associated SSIDs compared against baseline
Mutable Elements
Field Description
BaselineSSIDHistory Historical record of corporate SSID associations per device; deviations may indicate rogue AP usage.

Network Devices

AN1479

Detects rogue or suspicious wireless access attempts by monitoring firewall, WIDS/WIPS, and controller logs. Focus is on firewall rule changes, rogue AP detection, and anomalous MAC addresses connecting to access points.

Log Sources
Data Component Name Channel
Firewall Rule Modification (DC0051) NSM:Firewall rule_modification: New or modified firewall rules related to wireless interfaces
Network Traffic Content (DC0085) WIDS:AssociationLogs Unauthorized AP or anomalous MAC address connection attempts
Mutable Elements
Field Description
AuthorizedAPList Defines known access points and MAC addresses; deviations highlight rogue or unauthorized devices.