System Network Configuration Discovery: Wi-Fi Discovery

ID Name
T1016.001 Internet Connection Discovery
T1016.002 Wi-Fi Discovery

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.

Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through netsh wlan show profiles to enumerate Wi-Fi names and then netsh wlan show profile "Wi-Fi name" key=clear to show a Wi-Fi network’s corresponding password.[1][2][3] Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to wlanAPI.dll Native API functions.[4]

On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under /etc/NetworkManager/system-connections/.[5] On macOS, the password of a known Wi-Fi may be identified with security find-generic-password -wa wifiname (requires admin username/password).[6]

ID: T1016.002
Sub-technique of:  T1016
Tactic: Discovery
Platforms: Linux, Windows, macOS
Contributors: Alex Spivakovsky, Pentera; Christopher Peacock; Liran Ravich, CardinalOps; Uriel Kosayev
Version: 1.0
Created: 08 September 2023
Last Modified: 05 October 2023

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla can collect names and passwords of all Wi-Fi networks to which a device has previously connected.[7]

S0367 Emotet

Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.[4]

G0059 Magic Hound

Magic Hound has collected names and passwords of all Wi-Fi networks to which a device has previously connected.[3]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may collect Wi-Fi information on compromised systems.

DS0009 Process OS API Execution

Monitor for API calls (such as those from wlanAPI.dll) that may gather details about locally reachable Wi-Fi networks.