title: Wi-Fi Discovery (T1016.002)
id: df00tech-t1016-002
status: experimental
description: "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. On Windows, adversaries commonly use netsh wlan commands to enumerate saved Wi-Fi profiles and extract cleartext passwords. On Linux, Wi-Fi credentials may be found in /etc/NetworkManager/system-connections/. On macOS, the security command can retrieve Wi-Fi passwords. This technique is used by threat actors including Magic Hound (APT35), malware families such as Agent Tesla, CharmPower, PUBLOAD, Machete, and Emotet to support credential access, lateral movement to nearby wireless networks, and reconnaissance of the target environment."
references:
  - https://attack.mitre.org/techniques/T1016/002/
  - https://df00tech.com/detections/T1016.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1016.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators running netsh wlan show profiles or netsh wlan show profile key=clear for legitimate network troubleshooting or documentation purposes
  - "Network monitoring or configuration management tools that enumerate Wi-Fi profiles as part of inventory collection (e.g., Lansweeper, PDQ Inventory, SCCM hardware inventory)"
  - Help desk or support technicians using netsh wlan commands to assist users with Wi-Fi connectivity issues
  - Automated onboarding or device provisioning scripts that query existing Wi-Fi profiles before deploying new connection configurations
level: medium