Harvesting Of Wifi Credentials Via Netsh.EXE
Detect the harvesting of wifi credentials using netsh.exe
Sigma rule (View on GitHub)
1title: Harvesting Of Wifi Credentials Via Netsh.EXE
2id: 42b1a5b8-353f-4f10-b256-39de4467faff
3status: test
4description: Detect the harvesting of wifi credentials using netsh.exe
5references:
6 - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
7author: Andreas Hunkeler (@Karneades), oscd.community
8date: 2020-04-20
9modified: 2023-02-13
10tags:
11 - attack.discovery
12 - attack.credential-access
13 - attack.t1040
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\netsh.exe'
20 - OriginalFileName: 'netsh.exe'
21 selection_cli:
22 CommandLine|contains|all:
23 - 'wlan'
24 - ' s'
25 - ' p'
26 - ' k'
27 - '=clear'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
-
The popular infostealer AgentTesla recently added a new feature that can steal WiFi usernames and passwords, which can be used to spread malware.
Read More
Related rules
- Cisco Sniffing
- Network Sniffing - Linux
- Network Sniffing - MacOs
- New Network Trace Capture Started Via Netsh.EXE
- Potential Network Sniffing Activity Using Network Tools