T1016.002: Wi-Fi Discovery
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.
Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through netsh wlan show profiles to enumerate Wi-Fi names and then netsh wlan show profile “Wi-Fi name” key=clear to show a Wi-Fi network’s corresponding password. Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to wlanAPI.dll Native API functions.
On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under /etc/NetworkManager/system-connections/. On macOS, the password of a known Wi-Fi may be identified with security find-generic-password -wa wifiname (requires admin username/password).
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_discovery: PT-CR-2429: WiFi_Networks_Configuration_Discovery: Specific commands are executed on hosts running Windows OS, or files in the directory /etc/NetworkManager/system-connections/ on hosts running Linux OS are accessed, or files in the folder C:\programdata\Microsoft\Wlansvc\Profiles\Interfaces on hosts running Windows OS are accessed. This indicates attempts to get saved Wi-Fi profiles or view the password of a specific Wi-Fi point in cleartext.
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may collect Wi-Fi information on compromised systems. |
|---|
| ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls (such as those from |
|---|