DET0464 Behavioral Detection of Wi-Fi Discovery Activity
| Item |
Value |
| ID |
DET0464 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1016.002 (Wi-Fi Discovery)
Analytics
Windows
AN1280
Enumeration of saved Wi-Fi profiles and cleartext password retrieval using netsh wlan or API-level access to wlanAPI.dll.
Log Sources
Mutable Elements
| Field |
Description |
| WiFiProfileName |
Filter by known saved SSID names to reduce benign usage of network diagnostics |
| ParentProcess |
Anomalous parent-child relationships may be used to spot abuse (e.g., Office → netsh) |
| TimeWindow |
Correlate profile enumeration and password dumping within short timeframe (e.g., 60 seconds) |
Linux
AN1281
File access to NetworkManager connection configs and attempts to read PSK credentials from /etc/NetworkManager/system-connections/*.
Log Sources
Mutable Elements
| Field |
Description |
| FilenamePattern |
Filter for filenames like *.nmconnection or profiles containing SSID names |
| UserContext |
Distinguish between root/admin script usage vs. non-privileged terminal access |
macOS
AN1282
Use of the security command or Keychain API to extract known Wi-Fi passwords for target SSIDs.
Log Sources
Mutable Elements
| Field |
Description |
| WiFiNetworkFilter |
Match suspicious SSIDs being queried via security find-generic-password -wa |
| ExecutionUser |
Monitor root/admin usage of credential tools not linked to UI/system processes |