1. Home
  2. Techniques
  3. Enterprise
  4. System Network Configuration Discovery
  5. Wi-Fi Discovery

System Network Configuration Discovery: Wi-Fi Discovery

ID Name
T1016.001 Internet Connection Discovery
T1016.002 Wi-Fi Discovery

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.

Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through netsh wlan show profiles to enumerate Wi-Fi names and then netsh wlan show profile "Wi-Fi name" key=clear to show a Wi-Fi network’s corresponding password.[1][2][3] Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to wlanAPI.dll Native API functions.[4]

On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under /etc/NetworkManager/system-connections/.[5] On macOS, the password of a known Wi-Fi may be identified with security find-generic-password -wa wifiname (requires admin username/password).[6]

ID: T1016.002
Sub-technique of:  T1016
Tactic: Discovery
Platforms: Linux, Windows, macOS
Contributors: Alex Spivakovsky, Pentera; Christopher Peacock; Liran Ravich, CardinalOps; Uriel Kosayev
Version: 1.1
Created: 08 September 2023
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla can collect names and passwords of all Wi-Fi networks to which a device has previously connected.[7]
C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 collected information on wireless interfaces within range of a compromised system.[8]
S0674 CharmPower

CharmPower can use netsh wlan show profiles to list specific Wi-Fi profile details.[3]
S0367 Emotet

Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.[4]
S0409 Machete

Machete uses the netsh wlan show networks mode=bssid and netsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces.[9]

G0059 Magic Hound

Magic Hound has collected names and passwords of all Wi-Fi networks to which a device has previously connected.[3]
S1228 PUBLOAD

PUBLOAD has collected information on Wi-Fi networks from victim hosts leveraging netsh wlan show profiles, netsh wlan show interface, and netsh wlan show. [10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0464 Behavioral Detection of Wi-Fi Discovery Activity AN1280

Enumeration of saved Wi-Fi profiles and cleartext password retrieval using netsh wlan or API-level access to wlanAPI.dll.
AN1281

File access to NetworkManager connection configs and attempts to read PSK credentials from /etc/NetworkManager/system-connections/*.
AN1282

Use of the security command or Keychain API to extract known Wi-Fi passwords for target SSIDs.

References

  1. Sergiu Gatlan. (2020, April 16). Hackers steal WiFi passwords using upgraded Agent Tesla malware. Retrieved September 8, 2023.
  2. Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.
  3. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  4. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  5. Geeks for Geeks. (n.d.). Wi-Fi Password of All Connected Networks in Windows/Linux. Retrieved September 8, 2023.
  1. Ruslana Lishchuk. (2021, March 26). How to Find a Saved Wi-Fi Password on a Mac. Retrieved September 8, 2023.
  2. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  3. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  4. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  5. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.