T1669 Wi-Fi Networks Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let WifiManagementCommands = dynamic([
    "netsh wlan connect",
    "netsh wlan add profile",
    "netsh wlan export profile",
    "netsh wlan delete profile",
    "netsh wlan show networks",
    "netsh wlan show profiles",
    "netsh wlan set profileparameter",
    "Connect-WifiNetwork",
    "Add-WifiProfile",
    "iwconfig",
    "nmcli device wifi",
    "nmcli con add type wifi",
    "wpa_cli connect",
    "wpa_cli scan"
]);
let WifiEnumCommands = dynamic([
    "netsh wlan show networks",
    "netsh wlan show profiles",
    "netsh wlan show interfaces",
    "nmcli device wifi list",
    "iwlist scan",
    "airport -s",
    "wpa_cli scan_results"
]);
union
(
    DeviceProcessEvents
    | where TimeGenerated > ago(1h)
    | where ProcessCommandLine has_any (WifiManagementCommands)
    | extend ActivityType = case(
        ProcessCommandLine has "connect", "WiFi Connection Attempt",
        ProcessCommandLine has "add profile" or ProcessCommandLine has "con add type wifi", "WiFi Profile Created",
        ProcessCommandLine has "delete profile", "WiFi Profile Deleted",
        ProcessCommandLine has "export profile", "WiFi Profile Exported",
        ProcessCommandLine has "show networks" or ProcessCommandLine has "scan", "WiFi Network Enumeration",
        "WiFi Management Activity"
    )
    | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ActivityType,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, FolderPath, ReportId
),
(
    SecurityEvent
    | where TimeGenerated > ago(1h)
    | where EventID == 4688
    | where CommandLine has_any (WifiManagementCommands)
    | extend ActivityType = case(
        CommandLine has "connect", "WiFi Connection Attempt",
        CommandLine has "add profile", "WiFi Profile Created",
        CommandLine has "show networks", "WiFi Network Enumeration",
        "WiFi Management Activity"
    )
    | project TimeGenerated, Computer, SubjectUserName, CommandLine, ActivityType,
              NewProcessName, ParentProcessName
)
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Windows Security Events

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning
Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts
Developers and network engineers running wireless diagnostics on test systems or lab environments
Automated onboarding scripts that connect new employee devices to corporate SSIDs using pre-staged profiles

Splunk

spl

index=* earliest=-1h
(
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (
      CommandLine="*netsh wlan connect*" OR
      CommandLine="*netsh wlan add profile*" OR
      CommandLine="*netsh wlan delete profile*" OR
      CommandLine="*netsh wlan export profile*" OR
      CommandLine="*netsh wlan show networks*" OR
      CommandLine="*netsh wlan show profiles*" OR
      CommandLine="*nmcli device wifi*" OR
      CommandLine="*nmcli con add type wifi*" OR
      CommandLine="*iwconfig*" OR
      CommandLine="*wpa_cli scan*" OR
      CommandLine="*wpa_cli connect*"
    )
  )
  OR
  (
    sourcetype="WinEventLog:Security" EventCode=4688
    (
      CommandLine="*netsh wlan connect*" OR
      CommandLine="*netsh wlan add profile*" OR
      CommandLine="*netsh wlan show networks*"
    )
  )
  OR
  (
    sourcetype="WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational"
    (EventCode=8001 OR EventCode=8002 OR EventCode=20019)
  )
)
| eval ActivityType=case(
    match(CommandLine, "(?i)connect"), "WiFi Connection Attempt",
    match(CommandLine, "(?i)add profile|con add type wifi"), "WiFi Profile Created",
    match(CommandLine, "(?i)delete profile"), "WiFi Profile Deleted",
    match(CommandLine, "(?i)export profile"), "WiFi Profile Exported",
    match(CommandLine, "(?i)show networks|scan|list"), "WiFi Network Enumeration",
    EventCode=8001, "WLAN AutoConfig: Connected",
    EventCode=8002, "WLAN AutoConfig: Failed Connection",
    EventCode=20019, "WLAN AutoConfig: Profile Added",
    true(), "WiFi Management Activity"
  )
| eval host=coalesce(Computer, host)
| eval user=coalesce(SubjectUserName, User, user)
| table _time, host, user, ActivityType, CommandLine, ParentImage, EventCode, sourcetype
| sort -_time

high severity medium confidence

Data Sources

Sysmon Windows Security Events Windows WLAN AutoConfig

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational

False Positives

IT helpdesk connecting corporate laptops to conference room or guest Wi-Fi during troubleshooting sessions
Endpoint provisioning scripts that run during device setup to configure corporate SSID profiles via netsh
Network assessment teams conducting authorized wireless audits with scanning tools
Employees connecting personal devices or hotspots that generate WLAN AutoConfig events on workstations with wireless adapters
Windows Network Location Awareness service and credential managers that silently reconnect to known profiles on resume-from-sleep

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1669*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning
Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning
Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning
Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts

Google Chronicle / SecOps

yaral

rule detection_t1669 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Wi-Fi Networks - T1669"
    severity = "HIGH"
    mitre_attack = "T1669"
    reference = "https://attack.mitre.org/techniques/T1669/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning
Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning
Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts

Wi-Fi Networks

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Initial Access

Popular Detections