T1016.002: Wi-Fi Discovery
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.
Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.[1][2][3] Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` Native API functions.[4]
On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.[5] On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).[6]
Analyst context for executives and security teams
Wi-Fi Discovery matters because a compromised laptop or workstation can expose nearby networks and previously saved wireless credentials, turning an endpoint incident into a broader access, credential, or physical-proximity risk. For leaders, the key issue is not just that an attacker can list Wi-Fi details; it is whether corporate devices store reusable wireless secrets and whether SOC/IR teams can see when common OS tools, APIs, or scripts are used to retrieve them.
Executive priority
Treat this as a resilience and access-control validation point for organizations with corporate Wi-Fi, mobile workforces, sensitive sites, or executive/travel devices. Priority questions: are wireless credentials protected and rotated appropriately, are privileged prompts or admin credentials required where expected, and can incident responders determine whether Wi-Fi secrets were accessed during a host compromise? The relationship to the APT28 Nearest Neighbor Campaign also makes this relevant to physical/cyber convergence, because nearby wireless access can matter when adversaries operate around a target environment.
Technical view
This is an enterprise discovery sub-technique of System Network Configuration Discovery for Linux, Windows, and macOS. ATT&CK provides no official detection text, so defenders should validate behavior-based coverage using the related DET0464 detection strategy where available. Practical validation should focus on endpoint process and script activity that queries saved or reachable Wi-Fi profiles, access to OS locations that store wireless configuration, and use of native APIs or command-line utilities associated with wireless profile enumeration. Relationship context shows use by Windows-focused malware including Agent Tesla, Emotet, Machete, CharmPower, and PUBLOAD, plus Magic Hound and the APT28 Nearest Neighbor Campaign, so detections should be tested in post-compromise discovery sequences rather than treated as standalone high-confidence alerts.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows, Linux, and macOS
- PowerShell or script execution records where available
- File access telemetry for wireless configuration locations, especially Linux NetworkManager connection files
- macOS security/keychain access events where available
- Windows API or module telemetry related to wireless LAN enumeration where available
Detection direction
- Baseline legitimate administrative and helpdesk use of Wi-Fi profile utilities to reduce false positives.
- Correlate Wi-Fi discovery activity with other discovery, credential access, persistence, or C2 indicators instead of alerting only on a single command.
- Validate visibility on all supported platforms: Windows, Linux, and macOS coverage will differ substantially.
- Look for unusual users, parent processes, scripts, malware-staging directories, or non-interactive contexts performing wireless profile discovery.
- Confirm whether detections cover both command-line enumeration and non-command methods such as native API calls.
Mitigation priorities
- Limit storage and reuse of shared Wi-Fi credentials where operationally feasible.
- Prefer identity-bound wireless access controls and timely credential rotation over long-lived shared secrets.
- Restrict local administrative access because some password retrieval paths may require elevated privileges or admin credentials.
- Harden endpoint logging and EDR collection for process, script, file access, and keychain or credential-store activity.
- Include saved Wi-Fi credential review in incident response scoping for compromised laptops and workstations.
Analyst notes and limits
ATT&CK identifies this as a discovery behavior, but the practical risk often lands in credential exposure, lateral movement planning, and proximity-based access decisions. The supplied relationships show multiple malware and campaign/group associations, but those relationships should be used for prioritization and detection testing, not for attribution from telemetry alone.
The official ATT&CK object does not provide a detection section or mitigations. This take is based only on the supplied ATT&CK description, platforms, external references, and relationships. Local environment evidence is required to determine whether saved Wi-Fi secrets exist, whether telemetry captures access to them, and whether observed activity is malicious or legitimate administration.
Wi-Fi Discovery
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.
Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.[1][2][3] Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` Native API functions.[4]
On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.[5] On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).[6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | This object subtechnique of System Network Configuration Discovery. |
Groups, software, and campaigns
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
S1228: PUBLOAD
PUBLOAD is a stager malware that has been observed installing itself in existing directories such as `C:\Users\Public` or creating new directories to stage the malware and its components.[1] PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.[2]
S0674: CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[1]
S0409: Machete
S0331: Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[1][2][3]
S0367: Emotet
C0051: APT28 Nearest Neighbor Campaign
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4efa3493d44f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BleepingComputer Agent Tesla steal wifi passwords
Sergiu Gatlan. (2020, April 16). Hackers steal WiFi passwords using upgraded Agent Tesla malware. Retrieved September 8, 2023.
Open source URL -
[2]
Malware Bytes New AgentTesla variant steals WiFi credentials
Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.
Open source URL -
[3]
Check Point APT35 CharmPower January 2022
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
Open source URL -
[4]
Binary Defense Emotes Wi-Fi Spreader
Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
Open source URL -
[5]
Wi-Fi Password of All Connected Networks in Windows/Linux
Geeks for Geeks. (n.d.). Wi-Fi Password of All Connected Networks in Windows/Linux. Retrieved September 8, 2023.
Open source URL -
[6]
Find Wi-Fi Password on Mac
Ruslana Lishchuk. (2021, March 26). How to Find a Saved Wi-Fi Password on a Mac. Retrieved September 8, 2023.
Open source URL -
[7]
mitre-attack T1016.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.