AN1859: Analytic 1859
Monitor login sessions for new or unexpected devices or sessions on wireless networks. Monitor application logs for new or unexpected devices or sessions on wireless networks. New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.[1] [2] Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.
Analyst context for executives and security teams
This analytic matters because unexpected wireless devices, sessions, or traffic can create unmanaged paths into industrial environments and supporting operations. For leaders, the key decision is whether wireless activity is being treated as operational evidence, not just network noise: can the organization prove which devices and sessions are expected, notice rogue or distant devices, and preserve enough context to support incident response?
Executive priority
Prioritize this where wireless networks exist near or within operational environments, especially where business continuity depends on trusted connectivity and known device inventories. Executives should ask whether teams maintain an approved wireless baseline, monitor for rogue access points or unexpected sessions, and can produce audit-ready evidence showing how wireless anomalies are reviewed. This supports resilience, incident decision-making, and cyber-physical risk reduction without assuming a specific adversary or platform.
Technical view
SOC, IR, and detection teams should validate monitoring for login sessions, application logs, and network traffic related to wireless networks. The analytic highlights new or unexpected devices or sessions, irregular traffic flows, rogue access points, low signal strength, and physical-layer signal changes. Useful investigation context includes MAC or other hardware addresses, user accounts, message types, and whether observed wireless behavior differs from the normal operating baseline. No ATT&CK tactics, platforms, or relationship context were supplied, so local architecture must determine scope and priority.
Likely telemetry
- Wireless network monitoring alerts for new or unexpected devices or sessions
- Login session records associated with wireless access
- Application logs showing wireless-connected devices or sessions
- Network traffic flow records for wireless segments
- Network traffic content or metadata including hardware addresses, user accounts, and message types
Detection direction
- Validate that monitoring distinguishes approved wireless devices and sessions from new, unexpected, or irregular activity.
- Tune detection around local baselines to reduce false positives from legitimate device onboarding, maintenance activity, roaming, or signal variability.
- Correlate wireless anomalies with login sessions, application logs, and network traffic context rather than treating signal alerts in isolation.
- Confirm whether teams can identify rogue access points and unusual physical-layer changes, including low signal strength patterns noted by the ATT&CK description.
- Review blind spots where wireless telemetry is not collected, logs are not retained, MAC/user context is missing, or operational networks are monitored separately from SOC workflows.
Mitigation priorities
- Establish and maintain an approved inventory and baseline for wireless devices, access points, users, and expected sessions.
- Ensure wireless monitoring produces usable evidence for SOC triage and incident response, including device identifiers, account context, and traffic characteristics.
- Define response procedures for unexpected wireless sessions, rogue access points, and abnormal signal or traffic patterns.
- Integrate wireless findings into compliance evidence, asset governance, and operational risk reviews where wireless connectivity affects critical processes.
- Periodically test whether monitoring and escalation workflows detect and route unexpected wireless activity to the correct responders.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for ICS ATT&CK, external ID AN1859, focused on monitoring wireless networks for new or unexpected devices, sessions, traffic flows, rogue access points, and signal anomalies. The practical value is in validating wireless visibility and response readiness, especially where wireless connectivity could intersect with operational continuity.
No official detection field, platforms, tactics, aliases, labels, or relationship context were supplied. This take does not infer active exploitation, adversary attribution, specific technologies, or guaranteed detection coverage. Applicability depends on the organization’s actual wireless architecture, logging, baselines, and SOC/IR processes.
Analytic 1859
Monitor login sessions for new or unexpected devices or sessions on wireless networks. Monitor application logs for new or unexpected devices or sessions on wireless networks. New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.[1] [2] Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 98ebab398ef4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Nzyme Alerts Intro
Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved November 17, 2024.
Open source URL -
[2]
Wireless Intrusion Detection
Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.
Open source URL -
[3]
mitre-attack AN1859Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.