[T1016.002 ] System Network Configuration Discovery: Wi-Fi Discovery – Adversaries search compromised hosts for Wi‑Fi network names and stored credentials to expand access, move laterally, or harvest credentials for future campaigns. Detect by monitoring Wi‑Fi enumeration commands, API calls, and access to system Wi‑Fi configuration files. #WiFiDiscovery #T1016.002
Keypoints
- Adversaries enumerate stored Wi‑Fi profiles and keys using built-in OS tools like Windows netsh, macOS security, and Linux NetworkManager files.
- Wi‑Fi discovery supports credential theft, lateral movement, and remote system discovery by revealing SSIDs and passphrases.
- Detection focuses on monitoring specific commands, API calls (wlanapi.dll), and access to system network configuration paths.
- Logs to watch include process execution, command-line arguments, API call traces, and file reads of /etc/NetworkManager and Windows profile exports.
- Prevention is limited; employ detection, least privilege, credential rotation, endpoint controls, and alerting on unusual Wi‑Fi-related access.
Description:
- Like an intruder checking a house’s guestbook and spare keys, attackers search a system’s stored Wi‑Fi names and passwords to find ways in and open future doors.
- Adversaries run built-in commands or call native APIs to enumerate SSIDs and recover stored credentials from OS profile stores and configuration files, enabling credential access, network mapping, and support for further discovery or lateral movement.
Detection:
- Alert on execution of known Wi‑Fi enumeration commands, e.g., “netsh wlan show profiles” and “netsh wlan show profile * key=clear”, capturing full command-line arguments.
- Monitor process creation that invokes macOS “security find-generic-password -wa” or attempts to access keychain utilities; correlate with user context and privilege escalation events.
- Instrument API monitoring for calls to wlanapi.dll and other native Wi‑Fi APIs; log caller process, parameters, and timestamps for anomaly detection.
- Watch file access to Linux NetworkManager paths (/etc/NetworkManager/system-connections/) and Windows Wi‑Fi profile XML exports; alert on nonstandard processes reading these locations.
- Use EDR to record and flag suspicious child processes and scripts that parse or exfiltrate Wi‑Fi configuration data; block or quarantine known tooling when detected.
- Be aware of false positives from legitimate admin activity; reduce noise by baselining administrative tools, restricting who can run profile‑dump commands, and requiring approval for credential export tasks.
- Hunt examples from incidents: search historical logs for netsh profile dumps, unexpected wlanapi usage, or scripts that combine Wi‑Fi extraction with credential exfiltration; rotate impacted credentials and investigate lateral activity when found.
Tactics:
Discovery
Platforms:
Linux, Windows, macOS
Data Sources:
Command: Command Execution, Process: OS API Execution
Relationship Citations:
(Citation: Binary Defense Emotes Wi-Fi Spreader),(Citation: Nearest Neighbor Volexity),(Citation: Malwarebytes Agent Tesla April 2020),(Citation: Check Point APT35 CharmPower January 2022),