System Network Configuration Discovery: Wi-Fi Discovery

Other sub-techniques of System Network Configuration Discovery (2)

ID	Name
T1016.001	Internet Connection Discovery
T1016.002	Wi-Fi Discovery

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part ofAccount Discovery,Remote System Discovery, and other discovery orCredential Access activity to support both ongoing and future campaigns.

Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available throughnetsh wlan show profiles to enumerate Wi-Fi names and thennetsh wlan show profile "Wi-Fi name" key=clear to show a Wi-Fi network’s corresponding password.^[1]^[2]^[3] Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls towlanAPI.dllNative API functions.^[4]

On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under/etc/NetworkManager/system-connections/.^[5] On macOS, the password of a known Wi-Fi may be identified withsecurity find-generic-password -wa wifiname (requires admin username/password).^[6]

ID: T1016.002

Sub-technique of: T1016

ⓘ

Tactic:Discovery

ⓘ

Platforms: Linux, Windows, macOS

Contributors: Alex Spivakovsky, Pentera; Christopher Peacock; Liran Ravich, CardinalOps; Uriel Kosayev

Version: 1.1

Created: 08 September 2023

Last Modified: 24 October 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0331	Agent Tesla	Agent Tesla can collect names and passwords of all Wi-Fi networks to which a device has previously connected.^[7]
C0051	APT28 Nearest Neighbor Campaign	DuringAPT28 Nearest Neighbor Campaign,APT28 collected information on wireless interfaces within range of a compromised system.^[8]
S0674	CharmPower	CharmPower can use`netsh wlan show profiles` to list specific Wi-Fi profile details.^[3]
S0367	Emotet	Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.^[4]
S0409	Machete	Machete uses the`netsh wlan show networks mode=bssid` and`netsh wlan show interfaces` commands to list all nearby WiFi networks and connected interfaces.^[9]
G0059	Magic Hound	Magic Hound has collected names and passwords of all Wi-Fi networks to which a device has previously connected.^[3]
S1228	PUBLOAD	PUBLOAD has collected information on Wi-Fi networks from victim hosts leveraging`netsh wlan show profiles`,`netsh wlan show interface`, and`netsh wlan show`.^[10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID	Name	Analytic ID	Analytic Description
DET0464	Behavioral Detection of Wi-Fi Discovery Activity	AN1280	Enumeration of saved Wi-Fi profiles and cleartext password retrieval using`netsh wlan` or API-level access to`wlanAPI.dll`.
		AN1281	File access to NetworkManager connection configs and attempts to read PSK credentials from`/etc/NetworkManager/system-connections/*`.
		AN1282	Use of the`security` command or Keychain API to extract known Wi-Fi passwords for target SSIDs.

Movatterモバイル変換

System Network Configuration Discovery: Wi-Fi Discovery

Other sub-techniques of System Network Configuration Discovery (2)

Procedure Examples

Mitigations

Detection Strategy

References