Enumeration of saved Wi-Fi profiles and cleartext password retrieval using netsh wlan or API-level access to wlanAPI.dll.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| WiFiProfileName | Filter by known saved SSID names to reduce benign usage of network diagnostics |
| ParentProcess | Anomalous parent-child relationships may be used to spot abuse (e.g., Office → netsh) |
| TimeWindow | Correlate profile enumeration and password dumping within short timeframe (e.g., 60 seconds) |
File access to NetworkManager connection configs and attempts to read PSK credentials from /etc/NetworkManager/system-connections/*.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:PATH | file read |
| Process Creation (DC0032) | auditd:EXECVE | execve |
| Field | Description |
|---|---|
| FilenamePattern | Filter for filenames like *.nmconnection or profiles containing SSID names |
| UserContext | Distinguish between root/admin script usage vs. non-privileged terminal access |
Use of the security command or Keychain API to extract known Wi-Fi passwords for target SSIDs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process |
| Field | Description |
|---|---|
| WiFiNetworkFilter | Match suspicious SSIDs being queried via `security find-generic-password -wa` |
| ExecutionUser | Monitor root/admin usage of credential tools not linked to UI/system processes |