DET0709: Detection of Wi-Fi Discovery
DET0709 is a mobile ATT&CK detection strategy for Wi‑Fi Discovery, a behavior where an adversary on a compromised mobile system may look for Wi‑Fi network...
Analyst context for executives and security teams
DET0709 is a mobile ATT&CK detection strategy for Wi‑Fi Discovery, a behavior where an adversary on a compromised mobile system may look for Wi‑Fi network names or passwords. The business significance is that Wi‑Fi details can connect a mobile compromise to broader enterprise access, credential exposure, office location context, or future intrusion planning. Because the official detection strategy has no provided detection text, organizations should treat this as a coverage-validation prompt rather than a ready-made analytic.
Executive priority
Security leaders should ask whether mobile security, identity, and SOC programs can show evidence of attempts to access Wi‑Fi configuration or saved network information on Android and iOS devices. This matters for incident scoping and resilience: exposed Wi‑Fi information may affect corporate network access decisions, credential handling, and response actions for lost, compromised, or high-risk mobile devices. Priority should be driven by where mobile devices connect to sensitive networks and whether mobile telemetry is available to support audit and incident response evidence.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the related mobile technique T1422.002, Wi‑Fi Discovery, on Android and iOS. Since ATT&CK provides no official detection logic for DET0709, teams should map local mobile telemetry to evidence of applications, processes, profiles, or system services accessing Wi‑Fi network names, saved Wi‑Fi configuration, or Wi‑Fi credentials where the operating system and management controls expose that information. IR playbooks should include checks for whether Wi‑Fi information was accessed as part of broader Discovery or Credential Access activity on a compromised mobile device.
Likely telemetry
- Mobile device management or enterprise mobility management inventory and compliance records
- Mobile threat defense alerts or behavioral events, where deployed
- Android and iOS device security logs available to the organization
- Application permission, profile, or configuration-change records related to Wi‑Fi access
- Network association history or managed Wi‑Fi profile evidence
Detection direction
- Confirm whether the organization actually collects mobile telemetry capable of showing access to Wi‑Fi network names, saved configurations, or credentials; many environments will not have this by default.
- Tune detections around unusual or unauthorized access to Wi‑Fi-related data, especially by apps or components that do not have a clear business need.
- Correlate Wi‑Fi Discovery indicators with other mobile Discovery or Credential Access evidence before escalating severity, because benign device management, troubleshooting, or network onboarding activity may look similar.
- Separate Android and iOS validation because platform visibility and permission models differ, and the detection strategy itself does not specify platform-level analytics.
- Use the relationship to T1422.002 as the primary analytic anchor; the DET0709 object does not include official detection text, tactics, or platform fields.
Mitigation priorities
- Prioritize mobile device management controls that limit unmanaged access to corporate Wi‑Fi profiles and enforce configuration baselines.
- Review which apps and device profiles can access Wi‑Fi-related information, and remove unnecessary permissions or configurations where feasible.
- Protect corporate Wi‑Fi credentials and rotate or revoke access when mobile compromise is confirmed or cannot be ruled out.
- Ensure incident response procedures include mobile device containment, Wi‑Fi access review, and credential/network exposure assessment.
- Document available mobile telemetry and control evidence for compliance and audit readiness, especially for environments relying on mobile access to enterprise networks.
Analyst notes and limits
This take is based on ATT&CK detection strategy DET0709 and its relationship to technique T1422.002, Wi‑Fi Discovery, in the mobile domain. The relationship describes adversaries searching for Wi‑Fi network names and passwords on compromised systems to support Discovery or Credential Access activity. The most important defensive value is validating whether the organization can observe and respond to this behavior on Android and iOS devices.
The supplied DET0709 object has no official description, no official detection text, no specified platforms, and no specified tactics. Platform context comes only from the related technique, which lists Android and iOS. Local mobile telemetry, OS version, management tooling, privacy constraints, and forensic access will determine what can actually be detected or proven.
Detection of Wi-Fi Discovery
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | This object detects Wi-Fi Discovery. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b510efbb6484… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0709Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.