wifikeys | SOC Hunt Feed

Hunt Hypothesis

An adversary may use netsh to extract WPA keys from the local machine, exposing sensitive wireless credentials in clear text. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential exposure and unauthorized network access attempts.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where ProcessCommandLine startswith "netsh"
| where ProcessCommandLine has "key=clear"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by Timestamp

Analytic Rule Definition

id: ad5c7f75-95e0-4eb9-93e5-b1793ef405d6
name: wifikeys
description: |
  Detect if someone run netsh and try to expose WPA keys in clear text
  @mattiasborg82.
  Blog.sec-labs.com.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where ProcessCommandLine startswith "netsh"
  | where ProcessCommandLine has "key=clear"
  | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
  | top 100 by Timestamp

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/wifikeys.yaml)

False Positive Guidance

Scenario: System Administrator Performing Routine Network Configuration
Description: A system admin uses netsh to configure Wi-Fi settings during a routine maintenance task.
Filter/Exclusion: Check for presence of admin or sysadmin in the user context, or filter by CommandLine containing netsh wlan add or netsh wlan set.
Scenario: Scheduled Job to Backup Wi-Fi Profiles
Description: A scheduled task runs netsh to export Wi-Fi profiles for backup purposes.
Filter/Exclusion: Filter by ProcessName containing schtasks.exe or Task Scheduler, or check for CommandLine containing netsh wlan export profile.
Scenario: Security Tool or SIEM Agent Collecting Network Data
Description: A security tool like Microsoft Defender or a SIEM agent uses netsh to gather network information for monitoring.
Filter/Exclusion: Filter by ProcessName matching the security tool or SIEM agent, or check for CommandLine containing netsh wlan show with no key exposure.
Scenario: User Accessing Wi-Fi Settings via GUI or PowerShell
Description: A user accesses Wi-Fi settings through the GUI or PowerShell, which may trigger netsh under the hood.
Filter/Exclusion: Filter by User field matching known users or filter CommandLine for GUI-related commands like control.exe or powershell.exe.
Scenario: Network Inventory Tool Scanning for Wi-Fi Profiles
Description: A network inventory tool like Microsoft Endpoint Manager or third-party tools use netsh to inventory Wi-Fi profiles across devices.
Filter/Exclusion: Filter by ProcessName matching the inventory tool or check for CommandLine containing netsh wlan show profile.