DET0726: Detection of Wireless Compromise
DET0726 is an ATT&CK for ICS detection strategy for identifying Wireless Compromise behavior associated with technique T0860. Its business relevance is tha...
Analyst context for executives and security teams
DET0726 is an ATT&CK for ICS detection strategy for identifying Wireless Compromise behavior associated with technique T0860. Its business relevance is that wireless access can create an unauthorized path into operational communications, potentially bypassing expected wired-network and perimeter assumptions. Because MITRE provides no detailed detection logic, platforms, or tactics for this object, leaders should treat it as a coverage-validation prompt rather than a ready-made analytic.
Executive priority
Prioritize this as an operational resilience and cyber-physical risk question: do critical ICS environments have governed wireless use, documented exceptions, and evidence that unauthorized wireless access attempts would be noticed? This matters for incident readiness, audit evidence, and control prioritization because unmanaged or poorly monitored wireless communications can undermine segmentation and access-control investments.
Technical view
SOC, IR, and OT security teams should map this detection strategy to T0860 Wireless Compromise and validate whether the environment has telemetry for authorized and unauthorized wireless devices, wireless network associations, radio-frequency activity where applicable, and changes involving wireless-enabled devices connected to ICS networks. Since the ATT&CK object does not provide detection text or platforms, teams must derive local analytics from approved wireless architecture, asset inventory, and site-specific ICS communications patterns.
Likely telemetry
- Wireless controller or access point logs where wireless infrastructure exists
- Wireless authentication and association records
- Asset inventory showing approved wireless-capable devices in or near ICS environments
- Network monitoring for unexpected wireless-originated communications into ICS segments
- Physical/site security or RF monitoring evidence where wireless communications are part of the environment
Detection direction
- Validate whether wireless infrastructure and wireless-capable ICS-adjacent devices are inventoried and monitored.
- Compare observed wireless associations and communications against approved device, user, and site baselines.
- Tune detections to distinguish sanctioned maintenance, engineering, or operational wireless use from unknown devices or unexpected access paths.
- Review blind spots where ICS monitoring assumes wired traffic only, where wireless logs are not forwarded to the SOC, or where RF activity is not visible to network tools.
- Use the relationship to T0860 to frame detection coverage around unauthorized wireless access rather than generic Wi-Fi hygiene alone.
Mitigation priorities
- Establish and maintain an approved inventory of wireless networks, wireless devices, and wireless-enabled ICS assets.
- Restrict wireless access paths into ICS environments according to operational need and segmentation requirements.
- Ensure wireless infrastructure logs and relevant access records are retained and available for SOC and incident response review.
- Include wireless compromise scenarios in OT incident response playbooks and site validation activities.
- Use compliance or audit evidence to show that wireless use is governed, monitored, and periodically reviewed.
Analyst notes and limits
The source object is a detection strategy in the ICS ATT&CK domain and only states that it detects T0860 Wireless Compromise. The related technique description supports focusing on unauthorized access to wireless networks, compromise of wireless devices, and use of radios or other wireless communication devices on the same frequency as a wireless network.
MITRE did not provide an official description, detection guidance, tactics, platforms, labels, or aliases for DET0726 in the supplied fields. Any concrete analytic logic, tool requirements, device types, or platform-specific coverage must be confirmed from the local ICS architecture and telemetry, not inferred from this object alone.
Detection of Wireless Compromise
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0860 | Wireless Compromise | This object detects Wireless Compromise. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e7aeaace39a4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0726Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.