ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Detection of Wireless Compromise

Technique Detected: Wireless Compromise | T0860

ID: DET0726

Domains: ICS

Analytics: AN1859

Version: 1.0

Created: 21 October 2025

Last Modified: 21 October 2025

Version Permalink

Live Version

Analytics

AN1859

Monitor login sessions for new or unexpected devices or sessions on wireless networks.
Monitor application logs for new or unexpected devices or sessions on wireless networks.
New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.^[1] ^[2] Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	Logon Session	None
Application Log Content (DC0038)	Application Log	None
Network Traffic Flow (DC0078)	Network Traffic	None

References

Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved November 17, 2024.

Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.