Wireless Credential Dumping using Netsh Command

  1[metadata]
  2creation_date = "2022/11/01"
  3integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh."
 10from = "now-9m"
 11index = [
 12    "endgame-*",
 13    "logs-crowdstrike.fdr*",
 14    "logs-endpoint.events.process-*",
 15    "logs-m365_defender.event-*",
 16    "logs-sentinel_one_cloud_funnel.*",
 17    "logs-system.security*",
 18    "logs-windows.forwarded*",
 19    "logs-windows.sysmon_operational-*",
 20    "winlogbeat-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Wireless Credential Dumping using Netsh Command"
 25references = [
 26    "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts",
 27    "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/",
 28]
 29risk_score = 73
 30rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Credential Access",
 37    "Tactic: Discovery",
 38    "Data Source: Elastic Endgame",
 39    "Resources: Investigation Guide",
 40    "Data Source: Elastic Defend",
 41    "Data Source: Windows Security Event Logs",
 42    "Data Source: Microsoft Defender XDR",
 43    "Data Source: Sysmon",
 44    "Data Source: SentinelOne",
 45    "Data Source: Crowdstrike",
 46]
 47timestamp_override = "event.ingested"
 48type = "eql"
 49
 50query = '''
 51process where host.os.type == "windows" and event.type == "start" and
 52 (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and
 53  process.args : "wlan" and process.args : "key*clear"
 54'''
 55
 56note = """## Triage and analysis
 57
 58### Investigating Wireless Credential Dumping using Netsh Command
 59
 60#### Possible investigation steps
 61
 62- What did the alert-local netsh command expose or export?
 63  - Focus: `process.command_line`, `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`.
 64  - Implication: escalate when `key=clear` appears with bulk profile listing, `export profile`, omitted profile name, remote `-r`, script-file `-f`, or redirection; lower concern only when one local profile display fits recognized support or recovery. A signed Microsoft binary does not clear credential exposure.
 65
 66- Does the launcher, session, and user context explain why this account retrieved a wireless key on this host?
 67  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.session_info.logon_type`, `user.id`, `host.id`.
 68  - Implication: escalate when the parent is a shell, script host, remote-admin chain, document-spawned process, unexpected service identity, or unusual device-support user; lower concern when an interactive support shell or endpoint-management parent on the same host explains the exact command.
 69
 70- Did the same launcher fan out from one display command into broader wireless-profile collection?
 71  - Why: attackers often enumerate profile names with `wlan show profiles`, then display or export cleartext secrets; same-launcher enumeration without `key=clear` is precursor discovery.
 72  - Focus: related process starts on `host.id` and `process.parent.entity_id`, using `process.executable` and `process.command_line`. $investigate_0
 73  - Implication: escalate when the parent also runs profile enumeration, repeated `show profile`, `export profile`, or export without `name=`; keep review local when activity stays isolated to one profile display.
 74  - Hint: If `process.parent.entity_id` is absent, pivot with `host.id`, `process.parent.pid`, and the alert window.
 75
 76- Did the launcher or siblings stage recovered wireless material?
 77  - Focus: same-parent process starts on `host.id`, using `process.executable` and `process.command_line`; file events from `host.id` plus `process.entity_id` or weaker `process.pid`, reviewing `file.path`, `file.extension`, and `file.size`. $investigate_1
 78  - Implication: escalate when XML, redirected text, ZIP files, copied profiles, archive tools, copy utilities, cloud-sync clients, shell redirection, or script wrappers stage material for later use or transfer; missing file telemetry is unresolved, not benign. A clean file view lowers concern only when command and lineage also stay limited.
 79
 80- If local evidence remains suspicious or unresolved, do related alerts change scope or urgency?
 81  - Focus: related alerts for `user.id`, especially credential-access, lateral-movement, staging, remote-access, or persistence findings. $investigate_2
 82  - Implication: broaden response when the same user or host also shows dumping, staging, remote access, or persistence; keep scope local when related alerts are absent and local evidence supports one bounded workflow.
 83  - Hint: If the user view is sparse or the host is shared, review alerts for the same `host.id`. $investigate_3
 84
 85- Escalate when command intent, lineage, same-launcher collection, staging, file artifacts, or related alerts show bulk credential access or broader compromise; close only when binary identity, command scope, parent workflow, user-host context, and recovery records bind to one recognized support or recovery action; preserve artifacts and escalate when evidence is mixed or incomplete.
 86
 87### False positive analysis
 88
 89- Helpdesk, field-support, device-recovery, imaging, hardware replacement, or Wi-Fi profile migration can retrieve one saved wireless key. Confirm signed netsh identity, one local profile display or expected export in `process.command_line`, support-tooling parentage, and no bulk enumeration, archive staging, or transfer; use asset or ticket records only to corroborate that exact action, otherwise require the same executable, parent, command pattern, `user.id`, `host.id`, and quiet surrounding activity across prior alerts from this rule.
 90- Before creating an exception, validate recurrence of the same `process.executable`, `process.parent.executable`, `process.command_line` pattern, `user.id`, and `host.id` with the same limited scope. Avoid exceptions on `process.name`, `key=clear` alone, the host alone, or all netsh wireless activity.
 91
 92### Response and remediation
 93
 94- If confirmed benign, reverse any temporary containment and document which evidence matched the support or recovery workflow: command scope, binary identity, parent workflow, `user.id`, `host.id`, and absence of collection or staging. Create an exception only after the same limited pattern recurs.
 95- If suspicious but unconfirmed, preserve the alert record, case export, volatile process context, `process.entity_id`, `process.command_line`, `process.parent.command_line`, sibling process starts, staged artifacts when recovered, and affected `user.id` and `host.id`. Start with reversible containment such as temporary wireless or network restrictions; use host isolation only if staging, export, transfer, or broader compromise is evident.
 96- If confirmed malicious, isolate the endpoint or terminate the offending process through endpoint-response tooling after recording `process.entity_id`, `process.command_line`, parent context, exposed profile names, staged artifacts, and related-alert evidence. If tooling is unavailable, escalate with the preserved evidence set.
 97- Reset or rotate credentials exposed by the dumped wireless profile. For PSK environments, rotate the affected SSID key; for 802.1X environments, revoke or reissue affected certificates, reset cached credentials, and verify whether the exposed profile could grant broader network access.
 98- Before deleting artifacts, review other hosts and users for the same `process.command_line`, parent pattern, or exported profile artifacts so scoping finishes before evidence is destroyed.
 99- Eradicate only scripts, batch files, XML exports, archives, and persistence mechanisms found during the investigation, then remediate the initial access path that allowed the key retrieval.
100"""
101
102setup = """## Setup
103
104This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
105
106Setup instructions: https://ela.st/install-elastic-defend
107
108### Additional data sources
109
110This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
111
112- [CrowdStrike](https://ela.st/crowdstrike-integration)
113- [Microsoft Defender XDR](https://ela.st/m365-defender)
114- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
115- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
116- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
117"""
118
119[rule.investigation_fields]
120field_names = [
121    "@timestamp",
122    "host.id",
123    "user.id",
124    "process.entity_id",
125    "process.pid",
126    "process.executable",
127    "process.command_line",
128    "process.args",
129    "process.pe.original_file_name",
130    "process.parent.entity_id",
131    "process.parent.pid",
132    "process.parent.executable",
133    "process.parent.command_line",
134    "process.code_signature.subject_name",
135    "process.code_signature.trusted",
136]
137
138[transform]
139
140[[transform.investigate]]
141label = "Process starts from the same parent"
142description = ""
143providers = [
144  [
145    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
146    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
147    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
148  ]
149]
150relativeFrom = "now-1h"
151relativeTo = "now"
152
153[[transform.investigate]]
154label = "File activity for the alerting process"
155description = ""
156providers = [
157  [
158    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
159    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
160    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
161  ]
162]
163relativeFrom = "now-1h"
164relativeTo = "now"
165
166[[transform.investigate]]
167label = "Alerts associated with the user"
168description = ""
169providers = [
170  [
171    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
172    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
173  ]
174]
175relativeFrom = "now-48h/h"
176relativeTo = "now"
177
178[[transform.investigate]]
179label = "Alerts associated with the host"
180description = ""
181providers = [
182  [
183    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
184    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
185  ]
186]
187relativeFrom = "now-48h/h"
188relativeTo = "now"
189
190[[rule.threat]]
191framework = "MITRE ATT&CK"
192
193[[rule.threat.technique]]
194id = "T1003"
195name = "OS Credential Dumping"
196reference = "https://attack.mitre.org/techniques/T1003/"
197
198[[rule.threat.technique]]
199id = "T1552"
200name = "Unsecured Credentials"
201reference = "https://attack.mitre.org/techniques/T1552/"
202
203[[rule.threat.technique.subtechnique]]
204id = "T1552.001"
205name = "Credentials In Files"
206reference = "https://attack.mitre.org/techniques/T1552/001/"
207
208[[rule.threat.technique]]
209id = "T1555"
210name = "Credentials from Password Stores"
211reference = "https://attack.mitre.org/techniques/T1555/"
212
213[rule.threat.tactic]
214id = "TA0006"
215name = "Credential Access"
216reference = "https://attack.mitre.org/tactics/TA0006/"
217
218[[rule.threat]]
219framework = "MITRE ATT&CK"
220
221[[rule.threat.technique]]
222id = "T1016"
223name = "System Network Configuration Discovery"
224reference = "https://attack.mitre.org/techniques/T1016/"
225
226[[rule.threat.technique]]
227id = "T1082"
228name = "System Information Discovery"
229reference = "https://attack.mitre.org/techniques/T1082/"
230
231[rule.threat.tactic]
232id = "TA0007"
233name = "Discovery"
234reference = "https://attack.mitre.org/tactics/TA0007/"