- Home
- Correlation Rule Library
- WLAN Credential Leak
WLAN Credential Leak
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
A WLAN ( Wireless Local Area Network) credential leak involves the attempt to dump wireless saved access keys in a clear text using the netsh command. Once the attackers gain access to the network security keys or WiFi passwords, they can move laterally within the network to gather sensitive information.
Attack chain scenario: Man-in-the-middle (MitM) Attack -> WLAN traffic interception -> Password sniffing -> Data exfiltration
Impact:
It can impact the organizations in the following ways:
- Credential theft
- Data exfiltration
- Network breaches
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0007- Discovery
Technique: T1003- System Network Configuration Discovery
Sub Technique: T1016.002- Wi-Fi Discovery
Criteria:
( ( Process Name ends with netsh.exe" ) OR ( Original File Name ends with "netsh.exe" ) ) AND ( ( Command Line contains "wlan" ) AND ( Command Line contains "Key") AND ( Command Line contains "clear" ) )
netsh.exe - Displays the network configurations of the computer in use.
wlan - Displays the wifi profiles and their associated properties.
clear - Display the security keys of the Wifi profiles in plaintext.
When to enable this rule:
Enabling this rule will help you meet the security standard's requirement listed below:
Security standards (NIST CSF 2.0):
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
When this rule is triggered, you're notified when a suspicious WLAN credential leak has occurred using netsh command. This empowers you to use corrective actions, such as restricting the administrator privileges to necessary users.
Known false positives: This event may be generated while clearing a forgotten wireless profile.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Deploy advanced encryption methods: Use advanced encryption methods such as WPA3 for securing WiFi networks.
