T1669 IBM QRadar · QRadar

Detect Wi-Fi Networks in IBM QRadar

This detection identifies adversary activity consistent with gaining initial access via wireless network connections, including Wi-Fi network enumeration, suspicious wireless profile creation or modification, connection to new or unauthorized SSIDs, and process execution of wireless management utilities. The detection focuses on command-line wireless management tools (netsh wlan, nmcli, iwconfig, wpa_cli), Windows WLAN AutoConfig operational events, and anomalous wireless interface activity on dual-homed systems that may indicate a Nearest Neighbor-style bridging attack. Associated with APT28 operations documented in the Volexity Nearest Neighbor report, where threat actors compromised geographically proximate organizations to pivot via Wi-Fi into high-value targets.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1669 Wi-Fi Networks
Canonical reference
https://attack.mitre.org/techniques/T1669/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
high severity medium confidence

IBM QRadar AQL detection for Wi-Fi Networks (T1669). Queries QRadar event pipeline for indicators consistent with wi-fi networks adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • IT administrators using netsh wlan for legitimate network troubleshooting or configuration management of corporate laptops
  • Corporate endpoint management tools (SCCM, Intune) deploying or rotating Wi-Fi profiles via scripted netsh commands during device provisioning
  • Security tools and network assessment software (Nmap, Kismet host agents) performing authorized Wi-Fi surveys on designated scan hosts
Download portable Sigma rule (.yml)

Other platforms for T1669

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Wi-Fi Network Enumeration via netsh

    Expected signal: DeviceProcessEvents: ProcessCommandLine contains 'netsh wlan show networks' with parent process cmd.exe or PowerShell. SecurityEvent 4688 if process auditing enabled. Sysmon EventID 1 with CommandLine matching netsh wlan.

  2. Test 2Create and Connect to Wireless Profile on Windows

    Expected signal: WLAN AutoConfig EventID 20019 (profile added) and EventID 8001 or 8002 (connect attempt). DeviceProcessEvents for netsh wlan add profile and netsh wlan connect. Temp file creation event for atomic_wifi.xml (Sysmon EventID 11).

  3. Test 3Linux Wireless Network Scan and Profile Enumeration

    Expected signal: Linux auditd syscall audit for execve of nmcli, iwconfig, ip, cat processes with wireless-related arguments. Syslog entries from NetworkManager for scan requests. auditd EXECVE records if auditd is configured with -a always,exit -F arch=b64 -S execve rules.

  4. Test 4Export Wireless Profile with PSK (Credential Theft Simulation)

    Expected signal: DeviceProcessEvents for netsh wlan export profile with key=clear parameter. Sysmon EventID 11 (file create) for XML files written to TEMP directory. Possible DeviceFileEvents for subsequent file read if contents are further processed.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1669 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1040Network SniffingT1557Adversary-in-the-MiddleT1133External Remote ServicesT1091Replication Through Removable MediaT1190Exploit Public-Facing Application

Same Tactic: Initial Access

Popular Detections