Detect Wi-Fi Discovery in Microsoft Sentinel
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. On Windows, adversaries commonly use netsh wlan commands to enumerate saved Wi-Fi profiles and extract cleartext passwords. On Linux, Wi-Fi credentials may be found in /etc/NetworkManager/system-connections/. On macOS, the security command can retrieve Wi-Fi passwords. This technique is used by threat actors including Magic Hound (APT35), malware families such as Agent Tesla, CharmPower, PUBLOAD, Machete, and Emotet to support credential access, lateral movement to nearby wireless networks, and reconnaissance of the target environment.
MITRE ATT&CK
- Tactic
- Discovery
- Sub-technique
- T1016.002 Wi-Fi Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1016/002/
KQL Detection Query
let WiFiDiscoveryPatterns = dynamic([
"wlan show profiles",
"wlan show profile",
"wlan show networks",
"wlan show interfaces",
"wlan show",
"key=clear",
"wlanAPI",
"NetworkManager/system-connections",
"find-generic-password"
]);
let WiFiExecutables = dynamic(["netsh.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh", "security"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
// Direct netsh wlan commands
(FileName =~ "netsh.exe" and ProcessCommandLine has "wlan")
// PowerShell or cmd calling netsh wlan
or (ProcessCommandLine has "netsh" and ProcessCommandLine has "wlan")
// Reading NM connection files on Linux via WSL or scripting
or (ProcessCommandLine has "NetworkManager" and ProcessCommandLine has "system-connections")
// macOS security command for Wi-Fi passwords
or (ProcessCommandLine has "find-generic-password" and ProcessCommandLine has "-wa")
// key=clear to extract plaintext Wi-Fi password
or (ProcessCommandLine has "key=clear")
)
| extend IsProfileEnum = ProcessCommandLine has "show profiles"
| extend IsPasswordExtract = ProcessCommandLine has "key=clear"
| extend IsNetworkScan = ProcessCommandLine has_any ("show networks", "show interfaces", "mode=bssid")
| extend IsMacOSQuery = ProcessCommandLine has "find-generic-password"
| extend IsLinuxQuery = ProcessCommandLine has "system-connections"
| extend SuspicionScore = toint(IsProfileEnum) + toint(IsPasswordExtract) + toint(IsNetworkScan) + toint(IsMacOSQuery) + toint(IsLinuxQuery)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName,
IsProfileEnum, IsPasswordExtract, IsNetworkScan, IsMacOSQuery, IsLinuxQuery,
SuspicionScore
| sort by Timestamp descDetects Wi-Fi discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies netsh wlan command usage (profile enumeration, password extraction with key=clear, network scanning with mode=bssid), Linux NetworkManager credential file access, and macOS security find-generic-password queries. Flags and scores multiple indicators to prioritize high-confidence events. Captures both direct netsh.exe invocations and parent processes (e.g., PowerShell, cmd.exe) calling netsh with wlan parameters.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running netsh wlan show profiles or netsh wlan show profile key=clear for legitimate network troubleshooting or documentation purposes
- Network monitoring or configuration management tools that enumerate Wi-Fi profiles as part of inventory collection (e.g., Lansweeper, PDQ Inventory, SCCM hardware inventory)
- Help desk or support technicians using netsh wlan commands to assist users with Wi-Fi connectivity issues
- Automated onboarding or device provisioning scripts that query existing Wi-Fi profiles before deploying new connection configurations
Other platforms for T1016.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate All Saved Wi-Fi Profiles
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'wlan show profiles'. Security Event ID 4688 (if command line auditing enabled). Parent process will be the shell used to run the command (e.g., cmd.exe, powershell.exe).
- Test 2Extract Wi-Fi Password in Cleartext
Expected signal: Sysmon Event ID 1: Two Process Create events — first for 'wlan show profiles', second with CommandLine containing 'wlan show profile' and 'key=clear'. Security Event ID 4688 for both executions. The second command is the highest-fidelity indicator.
- Test 3Scan Nearby Wi-Fi Networks via netsh
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=netsh.exe, first CommandLine containing 'wlan show networks mode=bssid', second containing 'wlan show interfaces'. Security Event ID 4688 for both. Output shows currently visible wireless access points.
- Test 4Wi-Fi Discovery via PowerShell Invoking netsh
Expected signal: Sysmon Event ID 1: PowerShell process create, plus multiple netsh.exe child process creates with wlan arguments. Sysmon Event ID 11: File creation event for wifi_recon.txt in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 captures the full script. Parent-child relationship (powershell.exe → netsh.exe) is the key indicator.
- Test 5Linux Wi-Fi Credential File Enumeration
Expected signal: Auditd syscall events for open/read of files under /etc/NetworkManager/system-connections/. Syslog entries for sudo usage. Process execution logs showing ls, grep, cat commands with /etc/NetworkManager/system-connections/ path arguments. On systems with auditd rule '-w /etc/NetworkManager/system-connections/ -p rwa -k wifi_cred_access', generates AUDIT_WATCH events.
References (11)
- https://attack.mitre.org/techniques/T1016/002/
- https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/
- https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
- https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials
- https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/
- https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/
- https://www.trendmicro.com/en_us/research/24/i/mustang-panda.html
- https://www.geeksforgeeks.org/wi-fi-password-connected-networks-windowslinux/
- https://mackeeper.com/blog/find-wi-fi-password-on-mac/
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016.002/T1016.002.md
Unlock Pro Content
Get the full detection package for T1016.002 including response playbook, investigation guide, and atomic red team tests.