title: Wi-Fi Networks (T1669)
id: df00tech-t1669
status: experimental
description: "This detection identifies adversary activity consistent with gaining initial access via wireless network connections, including Wi-Fi network enumeration, suspicious wireless profile creation or modification, connection to new or unauthorized SSIDs, and process execution of wireless management utilities. The detection focuses on command-line wireless management tools (netsh wlan, nmcli, iwconfig, wpa_cli), Windows WLAN AutoConfig operational events, and anomalous wireless interface activity on dual-homed systems that may indicate a Nearest Neighbor-style bridging attack. Associated with APT28 operations documented in the Volexity Nearest Neighbor report, where threat actors compromised geographically proximate organizations to pivot via Wi-Fi into high-value targets."
references:
  - https://attack.mitre.org/techniques/T1669/
  - https://df00tech.com/detections/T1669
author: df00tech
date: 2026/03/20
tags:
  - attack.t1669
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
  - "Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning"
  - "Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts"
  - Developers and network engineers running wireless diagnostics on test systems or lab environments
  - Automated onboarding scripts that connect new employee devices to corporate SSIDs using pre-staged profiles
level: high