Wi Fi Password Dumping Detection
Query
//This query detects attempts to dump WiFi passwords in plain text from cmd
//Note: This action does NOT require admin privileges
DeviceProcessEvents
| where FileName == "netsh.exe"
| where ProcessCommandLine contains "key=clear" //plain-textExplanation
This query is designed to identify attempts to extract WiFi passwords in plain text using the command line tool netsh.exe. It specifically looks for instances where the command includes the option "key=clear," which is used to display WiFi passwords in a readable format. The query searches through device process events to find any such occurrences, and importantly, this action can be performed without needing administrative privileges.
Details

Jay Kerai
Released: November 10, 2024
Tables
DeviceProcessEvents
Keywords
Devices
Operators
==contains|where