T1016.002 Wi-Fi Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let WiFiDiscoveryPatterns = dynamic([
  "wlan show profiles",
  "wlan show profile",
  "wlan show networks",
  "wlan show interfaces",
  "wlan show",
  "key=clear",
  "wlanAPI",
  "NetworkManager/system-connections",
  "find-generic-password"
]);
let WiFiExecutables = dynamic(["netsh.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh", "security"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Direct netsh wlan commands
    (FileName =~ "netsh.exe" and ProcessCommandLine has "wlan")
    // PowerShell or cmd calling netsh wlan
    or (ProcessCommandLine has "netsh" and ProcessCommandLine has "wlan")
    // Reading NM connection files on Linux via WSL or scripting
    or (ProcessCommandLine has "NetworkManager" and ProcessCommandLine has "system-connections")
    // macOS security command for Wi-Fi passwords
    or (ProcessCommandLine has "find-generic-password" and ProcessCommandLine has "-wa")
    // key=clear to extract plaintext Wi-Fi password
    or (ProcessCommandLine has "key=clear")
  )
| extend IsProfileEnum = ProcessCommandLine has "show profiles"
| extend IsPasswordExtract = ProcessCommandLine has "key=clear"
| extend IsNetworkScan = ProcessCommandLine has_any ("show networks", "show interfaces", "mode=bssid")
| extend IsMacOSQuery = ProcessCommandLine has "find-generic-password"
| extend IsLinuxQuery = ProcessCommandLine has "system-connections"
| extend SuspicionScore = toint(IsProfileEnum) + toint(IsPasswordExtract) + toint(IsNetworkScan) + toint(IsMacOSQuery) + toint(IsLinuxQuery)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         IsProfileEnum, IsPasswordExtract, IsNetworkScan, IsMacOSQuery, IsLinuxQuery,
         SuspicionScore
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running netsh wlan show profiles or netsh wlan show profile key=clear for legitimate network troubleshooting or documentation purposes
Network monitoring or configuration management tools that enumerate Wi-Fi profiles as part of inventory collection (e.g., Lansweeper, PDQ Inventory, SCCM hardware inventory)
Help desk or support technicians using netsh wlan commands to assist users with Wi-Fi connectivity issues
Automated onboarding or device provisioning scripts that query existing Wi-Fi profiles before deploying new connection configurations

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (
    (Image="*\\netsh.exe" CommandLine="*wlan*")
    OR (CommandLine="*netsh*" CommandLine="*wlan*")
    OR (CommandLine="*key=clear*")
    OR (CommandLine="*wlan show profiles*")
    OR (CommandLine="*wlan show profile*")
    OR (CommandLine="*wlan show networks*")
    OR (CommandLine="*wlan show interfaces*")
    OR (CommandLine="*mode=bssid*")
  )
| eval IsProfileEnum=if(match(CommandLine, "wlan show profiles?"), 1, 0)
| eval IsPasswordExtract=if(match(CommandLine, "key=clear"), 1, 0)
| eval IsNetworkScan=if(match(CommandLine, "(show networks|show interfaces|mode=bssid)"), 1, 0)
| eval IsParentSuspicious=if(match(ParentImage, "(powershell|wscript|cscript|mshta|cmd)"), 1, 0)
| eval SuspicionScore=IsProfileEnum + IsPasswordExtract + IsNetworkScan + IsParentSuspicious
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsProfileEnum, IsPasswordExtract, IsNetworkScan, IsParentSuspicious, SuspicionScore
| sort - SuspicionScore, - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running netsh wlan show profiles or netsh wlan show profile key=clear for legitimate network troubleshooting or documentation purposes
Network monitoring or configuration management tools that enumerate Wi-Fi profiles as part of inventory collection (e.g., Lansweeper, PDQ Inventory, SCCM hardware inventory)
Help desk or support technicians using netsh wlan commands to assist users with Wi-Fi connectivity issues
Automated onboarding or device provisioning scripts that query existing Wi-Fi profiles before deploying new connection configurations

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (process.name : "netsh.exe" and process.command_line : "*wlan*") or
  (process.command_line : ("*key=clear*", "*wlan show profile*", "*wlan show networks*", "*wlan show interfaces*", "*mode=bssid*", "*NetworkManager/system-connections*", "*find-generic-password*"))
)

medium severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (endpoint integration) Winlogbeat with Sysmon module Auditbeat (Linux/macOS)

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

IT administrators running netsh wlan show profiles interactively during routine wireless network troubleshooting or SSID inventory documentation on managed endpoints
Enterprise MDM or deployment automation scripts (SCCM, Intune, Ansible) that enumerate or migrate Wi-Fi profiles as part of device provisioning or OS refresh workflows
macOS MDM solutions (Jamf, Mosyle) or IT tooling that invoke the security binary for legitimate keychain and certificate management tasks unrelated to Wi-Fi credentials

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Process CommandLine" AS CommandLine,
  "Parent Process Path" AS ParentProcess,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 352)
  AND (
    LOWER("Process CommandLine") LIKE '%netsh%wlan%'
    OR LOWER("Process CommandLine") LIKE '%key=clear%'
    OR LOWER("Process CommandLine") LIKE '%wlan show profile%'
    OR LOWER("Process CommandLine") LIKE '%wlan show networks%'
    OR LOWER("Process CommandLine") LIKE '%wlan show interfaces%'
    OR LOWER("Process CommandLine") LIKE '%mode=bssid%'
    OR LOWER("Process CommandLine") LIKE '%networkmanager/system-connections%'
    OR LOWER("Process CommandLine") LIKE '%find-generic-password%'
  )
LAST 24 HOURS

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via Universal DSM or Sysmon DSM QRadar Log Source Extension for process telemetry

Required Tables

events

False Positives

IT helpdesk staff executing netsh wlan commands manually or via remote management tools during wireless connectivity diagnostics on corporate workstations
Authorized network assessment or compliance scanning tools that enumerate saved Wi-Fi profiles as part of scheduled endpoint audits
Software deployment automation that exports and re-imports Wi-Fi profiles during OS migrations, device refresh cycles, or zero-touch provisioning workflows

Sumo Logic CSE

sql

_index=sec_record_processCreation
| where commandLine matches "*netsh*wlan*"
  OR commandLine matches "*key=clear*"
  OR commandLine matches "*wlan show profile*"
  OR commandLine matches "*wlan show networks*"
  OR commandLine matches "*wlan show interfaces*"
  OR commandLine matches "*mode=bssid*"
  OR commandLine matches "*NetworkManager*system-connections*"
  OR commandLine matches "*find-generic-password*"
| eval IsProfileEnum = if(commandLine matches "*wlan show profile*", 1, 0)
| eval IsPasswordExtract = if(commandLine matches "*key=clear*", 1, 0)
| eval IsNetworkScan = if(commandLine matches "*show networks*" OR commandLine matches "*show interfaces*" OR commandLine matches "*mode=bssid*", 1, 0)
| eval IsParentSuspicious = if(parentBaseImage matches "*(powershell*" OR parentBaseImage matches "*cmd.exe*" OR parentBaseImage matches "*wscript*" OR parentBaseImage matches "*cscript*" OR parentBaseImage matches "*mshta*", 1, 0)
| eval SuspicionScore = IsProfileEnum + IsPasswordExtract + IsNetworkScan + IsParentSuspicious
| fields _messageTime, device_hostname, user_username, baseImage, commandLine, parentBaseImage, IsProfileEnum, IsPasswordExtract, IsNetworkScan, IsParentSuspicious, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise (CSE) Windows Sysmon via Sumo Logic Installed Collector Windows Security Events (Event ID 4688) via Installed Collector Falcon Data Replicator or CrowdStrike App for Sumo Logic

Required Tables

sec_record_processCreation

False Positives

Network operations center technicians executing netsh wlan commands interactively for wireless infrastructure diagnostics or troubleshooting on corporate laptops
Endpoint management platforms (SCCM, Intune, PDQ Deploy) invoking netsh wlan as part of automated Wi-Fi profile provisioning or cleanup scripts
macOS IT administration tooling using the security command-line binary for legitimate certificate enrollment, keychain export, or password management operations

Google Chronicle / SecOps

yaral

rule wifi_discovery_t1016_002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Wi-Fi Discovery (T1016.002) via netsh wlan profile enumeration and key=clear password extraction on Windows, security binary Keychain queries on macOS, and NetworkManager credential file access on Linux"
    severity = "MEDIUM"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1016.002"
    reference = "https://attack.mitre.org/techniques/T1016/002/"
    platforms = "Windows, macOS, Linux"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `(?i)netsh\s+\S*\s*wlan`) or
      re.regex($e.target.process.command_line, `(?i)wlan\s+show\s+profiles?`) or
      re.regex($e.target.process.command_line, `(?i)wlan\s+show\s+networks?`) or
      re.regex($e.target.process.command_line, `(?i)wlan\s+show\s+interfaces?`) or
      re.regex($e.target.process.command_line, `(?i)key=clear`) or
      re.regex($e.target.process.command_line, `(?i)mode=bssid`) or
      re.regex($e.target.process.command_line, `NetworkManager/system-connections`) or
      re.regex($e.target.process.command_line, `find-generic-password`)
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle SIEM (UDM) Windows Event Logs via Chronicle Forwarder Sysmon via Chronicle Forwarder macOS Endpoint Security Framework telemetry via Chronicle Linux auditd via Chronicle Forwarder

Required Tables

UDM Events (metadata.event_type = PROCESS_LAUNCH)

False Positives

IT operations staff running netsh wlan show profiles for wireless network documentation, SSID inventory, or troubleshooting during scheduled maintenance windows
Authorized red team or penetration testing exercises that include wireless reconnaissance as explicitly defined in the rules of engagement
macOS MDM tools (Jamf Pro, Mosyle, Kandji) executing the security binary for legitimate certificate lifecycle management, keychain provisioning, or password rotation workflows

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(netsh.*wlan|wlan\s+show\s+profiles?|wlan\s+show\s+networks?|wlan\s+show\s+interfaces?|key=clear|mode=bssid|NetworkManager.*system-connections|find-generic-password)/
| IsProfileEnum := if(CommandLine = /(?i)wlan\s+show\s+profiles?/, 1, 0)
| IsPasswordExtract := if(CommandLine = /(?i)key=clear/, 1, 0)
| IsNetworkScan := if(CommandLine = /(?i)(show\s+networks?|show\s+interfaces?|mode=bssid)/, 1, 0)
| IsMacOSQuery := if(CommandLine = /find-generic-password/, 1, 0)
| IsLinuxQuery := if(CommandLine = /NetworkManager.*system-connections/, 1, 0)
| SuspicionScore := IsProfileEnum + IsPasswordExtract + IsNetworkScan + IsMacOSQuery + IsLinuxQuery
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, IsProfileEnum, IsPasswordExtract, IsNetworkScan, IsMacOSQuery, IsLinuxQuery, SuspicionScore])
| sort(SuspicionScore, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Windows, macOS, Linux) Falcon Sensor ProcessRollup2 telemetry CrowdStrike Humio / LogScale

Required Tables

ProcessRollup2

False Positives

Corporate IT scripts using netsh wlan for automated Wi-Fi profile export, backup, or migration during device refresh or OS upgrade procedures managed through endpoint tooling
Network operations center staff executing netsh wlan commands manually or via remote shells for wireless infrastructure diagnostics on corporate-managed hosts
Internal security team running wireless vulnerability assessments or Wi-Fi auditing tools on authorized systems as part of scheduled penetration testing or compliance checks

Wi-Fi Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections