SigmaHQ/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml

title: Detect the harvesting of wifi credentials using netsh.exe
id: 42b1a5b8-353f-4f10-b256-39de4467faff
status: experimental
description: Detect the harvesting of wifi credentials using netsh.exe
references:
    - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
author: Andreas Hunkeler (@Karneades)
date: 2020/04/20
tags:
    - attack.discovery
    - attack.t1040
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'netsh wlan show profile * key=clear'
    condition: selection
falsepositives:
    - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason
level: medium
Add rule to detect wifi creds harvesting using netsh 2020-04-20 14:14:44 +00:00			`title: Detect the harvesting of wifi credentials using netsh.exe`
			`id: 42b1a5b8-353f-4f10-b256-39de4467faff`
			`status: experimental`
			`description: Detect the harvesting of wifi credentials using netsh.exe`
			`references:`
			`- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/`
			`author: Andreas Hunkeler (@Karneades)`
			`date: 2020/04/20`
			`tags:`
			`- attack.discovery`
			`- attack.t1040`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`CommandLine:`
			`- 'netsh wlan show profile * key=clear'`
			`condition: selection`
			`falsepositives:`
			`- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason`
			`level: medium`