AN1476: Analytic 1476
Detects anomalous wireless connections such as unexpected SSID associations, failed or repeated authentication attempts, and connections outside of known geofenced networks. Defenders should monitor wireless connection logs and event codes for network discovery, authentication, and association events.
Analyst context for executives and security teams
AN1476 is a Windows-focused detection analytic for spotting unusual wireless network behavior, such as unexpected SSID connections, repeated or failed authentication, and connections occurring outside known geofenced areas. Its business value is in catching endpoint network exposure that may bypass normal perimeter assumptions, indicate user/device misconfiguration, or reveal risky connectivity patterns that affect incident response and compliance evidence.
Executive priority
Security leaders should treat this as a control-validation item for organizations that rely on Windows endpoints and wireless access. The key decision is whether the business can prove which devices connected to which wireless networks, from where, and whether those events are reviewed for anomalies. This supports operational resilience, investigation readiness, and auditability around endpoint network access, especially for mobile or distributed workforces.
Technical view
SOC and detection teams should validate that Windows wireless connection telemetry is collected and normalized for SSID association, authentication success/failure, repeated authentication attempts, and location or geofence context where available. Because ATT&CK provides no formal detection logic for this analytic, teams should define local baselines for approved SSIDs, expected locations, normal authentication failure rates, and known roaming behavior before alerting on anomalies.
Likely telemetry
- Windows wireless connection logs
- Wireless authentication and association events
- Event codes related to network discovery, authentication, and association
- SSID names and connection history
- Authentication success and failure records
Detection direction
- Confirm that wireless connection and authentication events are actually collected from Windows endpoints and retained long enough for investigations.
- Build allowlists or baselines for expected SSIDs and known geofenced networks before alerting on unexpected associations.
- Tune repeated or failed authentication thresholds to reduce noise from normal roaming, weak signal, password changes, or helpdesk troubleshooting.
- Correlate wireless anomalies with device identity, user identity, time, and location context to distinguish risky behavior from normal travel or office movement.
- Document blind spots where endpoints do not report wireless telemetry, where geofence data is unavailable, or where unmanaged networks are outside monitoring scope.
Mitigation priorities
- Maintain an inventory of approved wireless networks and expected SSIDs for managed Windows endpoints.
- Ensure endpoint and wireless telemetry collection is enabled, centralized, and reviewable by SOC or incident response teams.
- Use policy and access controls to discourage or prevent connections to unauthorized wireless networks where operationally appropriate.
- Define investigation playbooks for unexpected SSID association, repeated authentication failures, and out-of-geofence wireless connections.
- Periodically test logging and alerting assumptions as part of detection engineering or compliance-readiness activities.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic rather than a technique or procedure, and no tactic, relationship context, or official detection query is provided. The strongest use is as a prompt to validate wireless telemetry coverage and anomaly criteria for Windows endpoints.
This take is limited to the official fields supplied for AN1476. It does not establish adversary use, impact, attribution, or complete detection coverage. Local network architecture, endpoint management scope, geofence availability, and wireless logging configuration are required to determine practical effectiveness.
Analytic 1476
Detects anomalous wireless connections such as unexpected SSID associations, failed or repeated authentication attempts, and connections outside of known geofenced networks. Defenders should monitor wireless connection logs and event codes for network discovery, authentication, and association events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7a6a30bd98cd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1476Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.