Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0464: Behavioral Detection of Wi-Fi Discovery Activity

DET0464 is a MITRE detection strategy for identifying behavior associated with Wi-Fi Discovery, a Discovery technique where an adversary on a compromised L...

EnterpriseDET0464Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0464 is a MITRE detection strategy for identifying behavior associated with Wi-Fi Discovery, a Discovery technique where an adversary on a compromised Linux, Windows, or macOS system may look for saved Wi-Fi network names or passwords. The business value is not just finding a single query: this activity can reveal nearby networks, credentials, and movement options that may affect remote work, branch locations, facilities, or other environments where wireless access is part of operational resilience.

Executive priority

Treat this as a coverage-validation item for endpoint visibility and incident readiness. Leaders should ask whether SOC and IR teams can see Wi-Fi discovery behavior across supported desktop and server-like endpoint populations, whether wireless credential exposure is considered in response playbooks, and whether evidence collection can support audit or post-incident decisions. Because the ATT&CK object provides no official detection logic, priority should be based on local wireless reliance, endpoint logging maturity, and the sensitivity of saved network credentials.

Technical view

This detection strategy maps to T1016.002, Wi-Fi Discovery, under Discovery, with related platforms Linux, Windows, and macOS. Detection engineering should validate behavioral analytics around processes or scripts enumerating wireless profiles, network names, wireless configuration data, or stored wireless credentials. IR teams should treat confirmed activity as context for broader Account Discovery, Remote System Discovery, or Credential Access investigation, as the related ATT&CK description notes Wi-Fi information may support those activities. Since MITRE supplies no official detection text for DET0464, teams must define and test local logic using available endpoint and identity/network context.

Likely telemetry

  • Endpoint process creation and command-line telemetry from Linux, Windows, and macOS systems where available
  • Script, shell, or interactive session activity associated with network or wireless configuration enumeration
  • File, registry, keychain, credential store, or configuration access events related to saved Wi-Fi profiles or passwords, where collected
  • EDR alerts or behavioral events for discovery activity on compromised hosts
  • Asset and user context showing whether the host normally uses or manages Wi-Fi networks

Detection direction

  • Validate that endpoint logging captures enough process and command context to distinguish normal user or administrator network troubleshooting from unusual Wi-Fi discovery behavior.
  • Tune detections around unexpected enumeration of wireless profiles or saved wireless credentials, especially by non-administrative users, uncommon parent processes, remote sessions, scripts, or recently suspicious hosts.
  • Correlate with adjacent discovery and credential-access signals rather than treating Wi-Fi discovery as a standalone high-confidence incident in every case.
  • Account for legitimate false positives from help desk troubleshooting, network administration, device onboarding, and user-driven connectivity diagnostics.
  • Identify blind spots on unmanaged endpoints, privacy-limited macOS telemetry, Linux distributions without consistent endpoint logging, and systems where credential/configuration access auditing is not enabled.

Mitigation priorities

  • Prioritize endpoint visibility and retention for process, script, and configuration-access telemetry on Linux, Windows, and macOS systems that use Wi-Fi.
  • Limit exposure of saved wireless credentials through least privilege, credential hygiene, and configuration practices appropriate to the operating system and enterprise policy.
  • Include Wi-Fi credential and network exposure checks in incident response playbooks when discovery or credential-access activity is suspected.
  • Use asset context to focus monitoring on mobile endpoints, executive devices, administrator workstations, branch systems, and environments where wireless access could affect business operations.
  • Review wireless access governance and evidence collection as part of compliance readiness where saved credentials or network access paths are in scope.
Analyst notes and limits

The supplied ATT&CK detection-strategy object is sparse: it has a name and relationship to T1016.002 but no official description, detection logic, platforms, or tactics of its own. The practical guidance above is therefore derived from the relationship to Wi-Fi Discovery and should be validated against local operating systems, endpoint controls, and wireless access practices.

No active exploitation, attribution, prevalence, specific detection rule, data source list, or guaranteed platform coverage is provided in the supplied fields. Any production detection must be tested with local telemetry, baselining, and approved administrative workflows.

Official MITRE ATT&CK definition

Behavioral Detection of Wi-Fi Discovery Activity

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1016.002 Wi-Fi Discovery Sub-technique This object detects Wi-Fi Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1016.002: Wi-Fi Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ea8f76df9a618050...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ea8f76df9a61…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0464
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use