Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1478: Analytic 1478

Detects unauthorized Wi-Fi associations and SSID scanning activity using unified logs and airport command telemetry. Anomalies include rapid SSID switching, connections to unapproved SSIDs, or repeated authentication failures.

EnterpriseAN1478AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because unauthorized or unstable Wi-Fi behavior on macOS can indicate devices connecting outside approved network paths, users attempting to join risky SSIDs, or wireless authentication problems that may weaken business connectivity and audit confidence. For leaders, the practical question is whether managed macOS endpoints can prove they are using approved wireless networks and whether SOC teams can see abnormal SSID activity before it becomes an incident response problem.

Executive priority

Prioritize this where macOS endpoints handle sensitive work over Wi-Fi, where approved network use is part of compliance evidence, or where business operations depend on reliable wireless connectivity. The value is not just detection; it is validating that endpoint logging, wireless policy enforcement, and incident triage can answer: which device associated to which SSID, when, and whether that SSID was authorized.

Technical view

AN1478 is a macOS-focused detection analytic for unauthorized Wi-Fi associations and SSID scanning activity using unified logs and airport command telemetry. SOC and detection teams should validate visibility for rapid SSID switching, connections to unapproved SSIDs, and repeated authentication failures. Because no ATT&CK tactic, relationship context, or detailed detection logic is supplied, implementation should be treated as a local detection engineering task tied to the organization’s approved SSID inventory and macOS logging configuration.

Likely telemetry

  • macOS unified logs related to Wi-Fi association, disassociation, authentication, and SSID changes
  • airport command telemetry or equivalent local wireless interface telemetry
  • Endpoint identity and asset inventory linking macOS hostnames, users, and device ownership
  • Approved SSID allowlist or wireless network inventory for comparison
  • Authentication failure events associated with Wi-Fi connection attempts

Detection direction

  • Confirm macOS endpoints actually retain and forward the unified log fields needed to identify SSID name, association time, authentication result, and device identity.
  • Tune detections against an authoritative list of approved SSIDs; without this, alerts for unapproved SSIDs will be noisy or incomplete.
  • Look for patterns called out by the analytic: rapid SSID switching, unapproved SSID connections, and repeated authentication failures.
  • Account for benign causes such as travel, home networks, guest Wi-Fi, office roaming, weak signal conditions, and password changes.
  • Review gaps where laptops are offline, logs are short-lived, airport telemetry is not collected, or privacy controls reduce SSID visibility.

Mitigation priorities

  • Maintain a current inventory of approved corporate SSIDs and expected wireless use cases for macOS endpoints.
  • Enforce wireless configuration standards where feasible, especially for managed devices that should only use approved networks.
  • Ensure endpoint logging and forwarding are configured before relying on this analytic for SOC coverage.
  • Define triage playbooks for unapproved SSID association, repeated Wi-Fi authentication failures, and unusual SSID switching.
  • Use findings to support compliance evidence around network access control and managed endpoint configuration.
Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied ATT&CK fields support macOS, unified logs, airport command telemetry, unauthorized Wi-Fi association, SSID scanning, rapid SSID switching, unapproved SSIDs, and repeated authentication failures. No relationships, tactic mapping, procedure examples, or official detection logic were supplied, so local implementation depends on available macOS telemetry and an organization-specific approved SSID baseline.

The object has no supplied official detection content beyond the description, no relationship context, and no tactic assignment. This take does not infer adversary attribution, active exploitation, business impact, or coverage guarantees. Validation requires local endpoint logging, wireless policy data, and asset context.

Official MITRE ATT&CK definition

Analytic 1478

Detects unauthorized Wi-Fi associations and SSID scanning activity using unified logs and airport command telemetry. Anomalies include rapid SSID switching, connections to unapproved SSIDs, or repeated authentication failures.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fb9471e8d7b2306c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fb9471e8d7b2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1478
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use