Description
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.
Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through netsh wlan show profiles to enumerate Wi-Fi names and then netsh wlan show profile “Wi-Fi name” key=clear to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to wlanAPI.dll Native API functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)
On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under /etc/NetworkManager/system-connections/.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with security find-generic-password -wa wifiname (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has collected names and passwords of all Wi-Fi networks to which a device has previously connecte... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has collected information on Wi-Fi networks from victim hosts leveraging `netsh wlan show profiles`... |
| S0674 | CharmPower | Malware | [CharmPower](https://attack.mitre.org/software/S0674) can use `netsh wlan show profiles` to list specific Wi-Fi profile details.(Citation: Check Point... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) uses the <code>netsh wlan show networks mode=bssid</code> and <code>netsh wlan show interfaces</cod... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) can collect names and passwords of all Wi-Fi networks to which a device has previously connecte... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to s... |
References
- Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Geeks for Geeks. (n.d.). Wi-Fi Password of All Connected Networks in Windows/Linux. Retrieved September 8, 2023.
- Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.
- Ruslana Lishchuk. (2021, March 26). How to Find a Saved Wi-Fi Password on a Mac. Retrieved September 8, 2023.
- Sergiu Gatlan. (2020, April 16). Hackers steal WiFi passwords using upgraded Agent Tesla malware. Retrieved September 8, 2023.
Frequently Asked Questions
What is T1016.002 (Wi-Fi Discovery)?
T1016.002 is a MITRE ATT&CK technique named 'Wi-Fi Discovery'. It belongs to the Discovery tactic(s). Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://a...
How can T1016.002 be detected?
Detection of T1016.002 (Wi-Fi Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1016.002?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1016.002?
Known threat groups using T1016.002 include: Magic Hound.