{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wireless/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","discovery","windows","netsh","wireless"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of \u003ccode\u003enetsh.exe\u003c/code\u003e, a legitimate Windows command-line utility, to dump wireless network credentials in clear text. Attackers can exploit this to gain unauthorized access to wireless networks, potentially facilitating lateral movement and data theft. The activity is detected by monitoring process executions for \u003ccode\u003enetsh.exe\u003c/code\u003e with specific command-line arguments related to wireless LAN (WLAN) profiles and key extraction in clear text. This technique can be employed by both external attackers and malicious insiders to compromise network security. The goal is to obtain saved Wi-Fi passwords, enabling unauthorized network access. This activity can be part of a broader attack campaign, starting from initial access and escalating to sensitive data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised Windows host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to list available WLAN profiles: \u003ccode\u003enetsh wlan show profiles\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enetsh.exe\u003c/code\u003e to dump the wireless key in clear text for a specific profile: \u003ccode\u003enetsh wlan show profile name=\u0026quot;\u0026lt;profile_name\u0026gt;\u0026quot; key=clear\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command output reveals the clear text password for the targeted Wi-Fi network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen Wi-Fi credentials to connect to the wireless network.\u003c/li\u003e\n\u003cli\u003eOnce connected, the attacker performs network reconnaissance to identify valuable targets and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally through the network, exploiting vulnerabilities or misconfigurations to compromise additional systems.\u003c/li\u003e\n\u003cli\u003eThe final objective could include data exfiltration, installation of backdoors, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthorized access to wireless networks, bypassing traditional security measures. This can lead to lateral movement within the network, enabling attackers to access sensitive data, compromise critical systems, and potentially deploy ransomware. The impact ranges from data breaches and financial losses to reputational damage and disruption of services. The severity depends on the sensitivity of the data accessible through the compromised network and the attacker's subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wireless Credential Dumping via Netsh\u003c/code\u003e to identify malicious use of \u003ccode\u003enetsh.exe\u003c/code\u003e (see \u0026quot;rules\u0026quot; section).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to enhance visibility into command-line arguments of executed processes.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and the principle of least privilege to minimize the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly review and update wireless network configurations and passwords to prevent unauthorized access using old credentials.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious network connections originating from systems that have executed \u003ccode\u003enetsh.exe\u003c/code\u003e with WLAN-related arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-25-netsh-wireless-creds-dump/","summary":"Attackers may attempt to dump wireless credentials using `netsh.exe` to gain unauthorized network access, potentially leading to lateral movement and data compromise.","title":"Wireless Credential Dumping using Netsh Command","url":"https://feed.craftedsignal.io/briefs/2024-01-25-netsh-wireless-creds-dump/"}],"language":"en","title":"CraftedSignal Threat Feed - Wireless","version":"https://jsonfeed.org/version/1.1"}