Detect Wi-Fi Networks in Splunk
This detection identifies adversary activity consistent with gaining initial access via wireless network connections, including Wi-Fi network enumeration, suspicious wireless profile creation or modification, connection to new or unauthorized SSIDs, and process execution of wireless management utilities. The detection focuses on command-line wireless management tools (netsh wlan, nmcli, iwconfig, wpa_cli), Windows WLAN AutoConfig operational events, and anomalous wireless interface activity on dual-homed systems that may indicate a Nearest Neighbor-style bridging attack. Associated with APT28 operations documented in the Volexity Nearest Neighbor report, where threat actors compromised geographically proximate organizations to pivot via Wi-Fi into high-value targets.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1669 Wi-Fi Networks
- Canonical reference
- https://attack.mitre.org/techniques/T1669/
SPL Detection Query
index=* earliest=-1h
(
(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
CommandLine="*netsh wlan connect*" OR
CommandLine="*netsh wlan add profile*" OR
CommandLine="*netsh wlan delete profile*" OR
CommandLine="*netsh wlan export profile*" OR
CommandLine="*netsh wlan show networks*" OR
CommandLine="*netsh wlan show profiles*" OR
CommandLine="*nmcli device wifi*" OR
CommandLine="*nmcli con add type wifi*" OR
CommandLine="*iwconfig*" OR
CommandLine="*wpa_cli scan*" OR
CommandLine="*wpa_cli connect*"
)
)
OR
(
sourcetype="WinEventLog:Security" EventCode=4688
(
CommandLine="*netsh wlan connect*" OR
CommandLine="*netsh wlan add profile*" OR
CommandLine="*netsh wlan show networks*"
)
)
OR
(
sourcetype="WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational"
(EventCode=8001 OR EventCode=8002 OR EventCode=20019)
)
)
| eval ActivityType=case(
match(CommandLine, "(?i)connect"), "WiFi Connection Attempt",
match(CommandLine, "(?i)add profile|con add type wifi"), "WiFi Profile Created",
match(CommandLine, "(?i)delete profile"), "WiFi Profile Deleted",
match(CommandLine, "(?i)export profile"), "WiFi Profile Exported",
match(CommandLine, "(?i)show networks|scan|list"), "WiFi Network Enumeration",
EventCode=8001, "WLAN AutoConfig: Connected",
EventCode=8002, "WLAN AutoConfig: Failed Connection",
EventCode=20019, "WLAN AutoConfig: Profile Added",
true(), "WiFi Management Activity"
)
| eval host=coalesce(Computer, host)
| eval user=coalesce(SubjectUserName, User, user)
| table _time, host, user, ActivityType, CommandLine, ParentImage, EventCode, sourcetype
| sort -_timeDetects Wi-Fi network management activity via Sysmon process creation events, Windows Security process audit logs (4688), and Windows WLAN AutoConfig operational events (8001 connected, 8002 failed, 20019 profile added). The WLAN AutoConfig source provides direct wireless connection telemetry without relying solely on command-line patterns, offering coverage for GUI-based or API-driven wireless connections that may not generate process events.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT helpdesk connecting corporate laptops to conference room or guest Wi-Fi during troubleshooting sessions
- Endpoint provisioning scripts that run during device setup to configure corporate SSID profiles via netsh
- Network assessment teams conducting authorized wireless audits with scanning tools
- Employees connecting personal devices or hotspots that generate WLAN AutoConfig events on workstations with wireless adapters
- Windows Network Location Awareness service and credential managers that silently reconnect to known profiles on resume-from-sleep
Other platforms for T1669
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Wi-Fi Network Enumeration via netsh
Expected signal: DeviceProcessEvents: ProcessCommandLine contains 'netsh wlan show networks' with parent process cmd.exe or PowerShell. SecurityEvent 4688 if process auditing enabled. Sysmon EventID 1 with CommandLine matching netsh wlan.
- Test 2Create and Connect to Wireless Profile on Windows
Expected signal: WLAN AutoConfig EventID 20019 (profile added) and EventID 8001 or 8002 (connect attempt). DeviceProcessEvents for netsh wlan add profile and netsh wlan connect. Temp file creation event for atomic_wifi.xml (Sysmon EventID 11).
- Test 3Linux Wireless Network Scan and Profile Enumeration
Expected signal: Linux auditd syscall audit for execve of nmcli, iwconfig, ip, cat processes with wireless-related arguments. Syslog entries from NetworkManager for scan requests. auditd EXECVE records if auditd is configured with -a always,exit -F arch=b64 -S execve rules.
- Test 4Export Wireless Profile with PSK (Credential Theft Simulation)
Expected signal: DeviceProcessEvents for netsh wlan export profile with key=clear parameter. Sysmon EventID 11 (file create) for XML files written to TEMP directory. Possible DeviceFileEvents for subsequent file read if contents are further processed.
References (5)
- https://attack.mitre.org/techniques/T1669/
- https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wifi-networks-for-covert-access/
- https://www.justice.gov/opa/press-release/file/1098481/download
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/wifi-wlan-autoconfig-events
- https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-wlan
Unlock Pro Content
Get the full detection package for T1669 including response playbook, investigation guide, and atomic red team tests.