**IOC 24 – Wi-Fi Compromise**
Category: Network Activity Indicator
IOC Type: Unauthorized Wireless Network Access / Rogue Device
Telemetry Origin: Wireless Access Point Logs, Wireshark Capture, Endpoint Event Logs (Optional)

**1. Attacker Analogy**
A thief watches an open window on a busy street, noticing it’s rarely secured. One day, they slip through, moving quickly and quietly. They don’t take anything obvious at first—just look around, unlock a door from the inside, and leave. Now, they have an open path for future visits. This is Wi-Fi compromise: the attacker exploits weak encryption or stolen credentials to slip onto your wireless network, where they can map, intercept, and inject with ease.

**2. IOC / Source of Telemetry (Observable and Raw Data)**
Observable Artifact:

Wi-Fi Access Point Logs: Unauthorized device MAC detected joining network (00:1A:2B:3C:4D:5E). Authentication logs show unexpected WPA2 connection from unrecognized MAC.

Packet Capture (Wireshark): Captures 4-way handshake from unknown device; multiple data frames to local subnet IPs.



Raw Sample from AP Log:

[2025-05-23 14:32:11] Authenticated: MAC 00:1A:2B:3C:4D:5E | SSID: CorpNet | WPA2-PSK | Signal: -45 dBm
[2025-05-23 14:32:15] Data Traffic Initiated: 00:1A:2B:3C:4D:5E | IP: 192.168.1.104

**3. Triage Framework Declaration**
Triage Type: Network Activity Indicator
Canonical Toolset and Required Sequence:

Nmap Scan: Identify devices on the subnet and check for unauthorized IP/MAC combinations.

Firewall Logs: Review inbound/outbound traffic to/from the suspected device for anomalies.

NetFlow Analysis: Track traffic volume and session details; identify spikes or new connections.

Softened Interpretation:
This isn’t malware—it’s a foothold. The attacker slipped in with a MAC that doesn’t belong, riding the same network you trust. Logs don’t just show the device; they show a new presence looking to explore.

**4. Host Operating System Layer Mapping**
Layer 1 – Process Execution: None observed yet.
Layer 2 – Startup/Persistence: Possible rogue DHCP lease or static IP configuration.
Layer 3 – Background Services: Attacker may spoof legitimate device behavior (e.g., periodic ARP updates).
Layer 4 – Credential Management: WPA2 pre-shared key likely obtained via phishing or weak passphrase.
Layer 5 – Monitoring/Detection: No alerts from endpoint defenses; requires network-level monitoring.
Layer 6 – Network Communication: Active sessions with internal systems, DNS queries to external resolvers.

Softened Interpretation:
The host may seem silent, but the network hears it. Behind familiar IPs, there’s an uninvited guest waiting for a moment to act.

**5. Operating System Cross-Layer Interaction Pivots**
Layer 4 → Layer 1: Attacker may leverage stolen credentials to initiate local service access or exploit.

Layer 2 → Layer 3: Network persistence (rogue DHCP) may be used to masquerade as a trusted device.

Layer 6 → Layer 5: If internal scanning occurs, it may trip monitoring defenses.

Softened Interpretation:
The attack moves from entry to persistence, waiting for opportunity. The stolen key is the start; the pivot is the play.

**6. OSI Layer Relevance**
Layer 1 – Physical: Wi-Fi radio signals

Layer 2 – Data Link: MAC authentication, ARP spoofing potential

Layer 3 – Network: IP assignments, internal routing

Layer 4 – Transport: TCP/UDP sessions to internal services

Layer 7 – Application: Potential credential harvesting, SMB, HTTP traffic

Softened Interpretation:
It starts in the air, rides the data link, climbs to transport, and might hit your apps. This isn’t a single-layer breach—it’s layered mischief.

**7. Attacker Behavior Interpretation (Narrative)**
The attacker isn’t guessing—they’re prepared. They sniffed traffic near the building, gathering SSID and handshake data. Using a precomputed dictionary, they cracked the WPA2 passphrase, gaining access as a trusted client. Once inside (projected) they blended with normal devices—sending ARP announcements, scanning internal IPs, quietly collecting information. They may wait for high-value data or inject packets to redirect sessions. Their playbook is patience, waiting for a user to let their guard down.

**8. Defender Action Summary (Narrative)**
Detection begins with access point logs: look for unfamiliar MAC addresses, signal strength inconsistencies, or devices connecting outside business hours. Validate with packet captures—Wireshark or TCPDump—to confirm handshake anomalies or unauthorized traffic. Use Nmap and NetFlow to track the rogue device’s network behavior. If an endpoint shows unexplained sessions, correlate logs. Quarantine the device, force a new WPA2 key rotation, and review password policies. Finally, check for lateral movement—has the attacker reached deeper? This isn’t just a Wi-Fi blip; it’s a full investigation.(Projected)

**9. Attacker Strategy Notes (Narrative)**
The attacker bets on convenience: an unsecured SSID, a weak passphrase, or stolen credentials. They know networks often trust MACs once authenticated. By lurking in the background, they gather system maps, ARP tables, and target services. It’s not just about bandwidth—it’s access, visibility, and eventual control. Their patience is their power.

**10. Who’s Who – Object Role Clarification**
Object	Role
00:1A:2B:3C:4D:5E	Attacker’s MAC address
WPA2-PSK	Wireless encryption method
AP Logs	Authentication and traffic records
NetFlow	Session tracking and volume data


**11. Conclusion / README**


This IOC case revolves around a Wi-Fi compromise, where an attacker leveraged weak network defenses to gain unauthorized access. The initial detection came from AP logs identifying an unrecognized MAC address joining the network, accompanied by a suspicious WPA2 authentication event. Further analysis of packet captures revealed the four-way handshake with multiple data frames directed at internal IPs, indicating the attacker wasn’t merely probing—they had established a foothold.

The triage path began with network-focused indicators—logs, packet captures, and NetFlow—but hints of credential compromise and rogue device behavior suggested possible escalation. While we focused on network indicators to maintain scope, the attacker’s behavior highlights the blurred lines between network and host compromises, where a device masquerading as legitimate can blend into daily operations.

For defenders, the path to mitigation involves robust monitoring of access points, immediate correlation with NetFlow and endpoint logs, and proactive WPA2 key rotation to cut off unauthorized access. The significance of this case lies in its illustration of how a seemingly minor Wi-Fi intrusion can evolve into a network reconnaissance platform, potentially leading to data exfiltration or lateral compromise.

Ultimately, this IOC underscores the necessity of vigilant wireless network monitoring, layered defenses, and a readiness to pivot investigations across host and network vectors as evidence emerges. A compromise doesn’t always announce itself loudly—it often begins as a subtle intrusion, only recognized by a keen eye connecting the dots.



