Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1069: Analytic 1069

Detects rogue Wi-Fi access points broadcasting the same SSID as legitimate APs with stronger signal strength, unexpected MAC/BSSID values, or inconsistent encryption settings. Correlates authentication attempts, captive portal redirections, and anomalous traffic flows through unauthorized APs.

EnterpriseAN1069AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about finding rogue Wi-Fi access points that impersonate legitimate corporate wireless networks. For leaders, the practical issue is trust in the local network: if users or devices connect through an unauthorized AP, identity capture, traffic interception, policy bypass, and incident uncertainty become more likely. The business value is validating that wireless monitoring can distinguish approved infrastructure from lookalike SSIDs, unexpected BSSIDs, encryption mismatches, and suspicious authentication or redirection behavior.

Executive priority

Prioritize this where wireless access supports business operations, guest access, executive areas, regulated environments, or locations with sensitive operational activity. Leaders should ask whether the organization has an authoritative inventory of legitimate APs and BSSIDs, whether wireless telemetry is retained for investigation, and whether SOC teams can escalate rogue AP findings into facilities, network, and incident response workflows. This is also useful audit evidence for network access governance and physical/cyber security coordination.

Technical view

The supplied ATT&CK object is a detection analytic for Network Devices. It focuses on rogue Wi-Fi APs broadcasting the same SSID as legitimate APs while showing stronger signal strength, unexpected MAC/BSSID values, inconsistent encryption settings, authentication attempts, captive portal redirections, or anomalous traffic flows through unauthorized APs. SOC and detection teams should validate that approved SSID-to-BSSID mappings, encryption configurations, AP inventories, authentication logs, wireless controller events, and network flow data can be correlated. Because no official detection logic is provided, local baselining and asset inventory quality are decisive.

Likely telemetry

  • Wireless controller or network device logs
  • Approved AP inventory with MAC/BSSID mappings
  • SSID and encryption configuration data
  • Signal strength observations or wireless scanning results
  • Authentication attempt logs

Detection direction

  • Validate that legitimate SSIDs, BSSIDs, AP locations, and encryption settings are documented and machine-correlatable.
  • Tune for same-SSID broadcasts with unexpected BSSID/MAC values, encryption mismatches, or abnormal signal strength relative to known AP placement.
  • Correlate wireless anomalies with authentication attempts, captive portal redirects, and traffic flows rather than relying on SSID name alone.
  • Account for benign changes such as AP replacement, maintenance, temporary equipment, or misconfigured authorized devices to reduce false positives.
  • Review blind spots where wireless scanning is absent, branch sites are unmanaged, guest Wi-Fi is separated from SOC telemetry, or network flows cannot be tied back to AP infrastructure.

Mitigation priorities

  • Maintain an authoritative inventory of authorized wireless infrastructure, including SSIDs, BSSIDs, encryption settings, and locations.
  • Standardize change control for AP deployment, replacement, and configuration changes so detections can distinguish planned changes from suspicious activity.
  • Ensure wireless controller, authentication, and network flow telemetry is retained and accessible to SOC and incident response teams.
  • Define response procedures for suspected rogue APs that include network, facilities, physical security, and incident response stakeholders.
  • Use findings to validate wireless security governance and compliance evidence, especially for sensitive sites or regulated environments.
Analyst notes and limits

The object provides a high-level analytic description but no official detection logic, tactic mapping, related techniques, or relationship context. Treat this as a coverage validation prompt: the key question is whether the organization can prove what wireless infrastructure is legitimate and detect deviations with supporting telemetry.

This take is limited to the supplied ATT&CK fields. It does not establish active exploitation, adversary attribution, guaranteed detection coverage, or impact. Local wireless architecture, inventory accuracy, log availability, and physical site conditions are required to determine risk and detection quality.

Official MITRE ATT&CK definition

Analytic 1069

Detects rogue Wi-Fi access points broadcasting the same SSID as legitimate APs with stronger signal strength, unexpected MAC/BSSID values, or inconsistent encryption settings. Correlates authentication attempts, captive portal redirections, and anomalous traffic flows through unauthorized APs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
206c54b5139c79ac...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 206c54b5139c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1069
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use