Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through
netsh wlan show profilesto enumerate Wi-Fi names and thennetsh wlan show profile “Wi-Fi name” key=clearto show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls towlanAPI.dllNative API functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under
/etc/NetworkManager/system-connections/.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified withsecurity find-generic-password -wa wifiname(requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
Supported Platforms: Windows
auto_generated_guid: 53cf1903-0fa7-4177-ab14-f358ae809eec
netsh wlan show profile * key=clear