MITRE ATT&CK Technique
Description
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns. Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader) On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-09-08T15:39:50.269Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may search for information about Wi-Fi networks, '
'such as network names and passwords, on compromised systems. '
'Adversaries may use Wi-Fi information as part of [Account '
'Discovery](https://attack.mitre.org/techniques/T1087), '
'[Remote System '
'Discovery](https://attack.mitre.org/techniques/T1018), and '
'other discovery or [Credential '
'Access](https://attack.mitre.org/tactics/TA0006) activity to '
'support both ongoing and future campaigns.\n'
'\n'
'Adversaries may collect various types of information about '
'Wi-Fi networks from hosts. For example, on Windows names and '
'passwords of all Wi-Fi networks a device has previously '
'connected to may be available through `netsh wlan show '
'profiles` to enumerate Wi-Fi names and then `netsh wlan show '
'profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s '
'corresponding password.(Citation: BleepingComputer Agent '
'Tesla steal wifi passwords)(Citation: Malware Bytes New '
'AgentTesla variant steals WiFi credentials)(Citation: Check '
'Point APT35 CharmPower January 2022) Additionally, names and '
'other details of locally reachable Wi-Fi networks can be '
'discovered using calls to `wlanAPI.dll` [Native '
'API](https://attack.mitre.org/techniques/T1106) '
'functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)\n'
'\n'
'On Linux, names and passwords of all Wi-Fi-networks a device '
'has previously connected to may be available in files under ` '
'/etc/NetworkManager/system-connections/`.(Citation: Wi-Fi '
'Password of All Connected Networks in Windows/Linux) On '
'macOS, the password of a known Wi-Fi may be identified with ` '
'security find-generic-password -wa wifiname` (requires admin '
'username/password).(Citation: Find Wi-Fi Password on Mac)\n',
'external_references': [{'external_id': 'T1016.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1016/002'},
{'description': 'Binary Defense. (n.d.). Emotet '
'Evolves With new Wi-Fi Spreader. '
'Retrieved September 8, 2023.',
'source_name': 'Binary Defense Emotes Wi-Fi Spreader',
'url': 'https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/'},
{'description': 'Check Point. (2022, January 11). '
'APT35 exploits Log4j vulnerability '
'to distribute new modular PowerShell '
'toolkit. Retrieved January 24, 2022.',
'source_name': 'Check Point APT35 CharmPower January '
'2022',
'url': 'https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/'},
{'description': 'Geeks for Geeks. (n.d.). Wi-Fi '
'Password of All Connected Networks '
'in Windows/Linux. Retrieved '
'September 8, 2023.',
'source_name': 'Wi-Fi Password of All Connected '
'Networks in Windows/Linux',
'url': 'https://www.geeksforgeeks.org/wi-fi-password-connected-networks-windowslinux/'},
{'description': 'Hossein Jazi. (2020, April 16). New '
'AgentTesla variant steals WiFi '
'credentials. Retrieved September 8, '
'2023.',
'source_name': 'Malware Bytes New AgentTesla variant '
'steals WiFi credentials',
'url': 'https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials'},
{'description': 'Ruslana Lishchuk. (2021, March 26). '
'How to Find a Saved Wi-Fi Password '
'on a Mac. Retrieved September 8, '
'2023.',
'source_name': 'Find Wi-Fi Password on Mac',
'url': 'https://mackeeper.com/blog/find-wi-fi-password-on-mac/'},
{'description': 'Sergiu Gatlan. (2020, April 16). '
'Hackers steal WiFi passwords using '
'upgraded Agent Tesla malware. '
'Retrieved September 8, 2023.',
'source_name': 'BleepingComputer Agent Tesla steal '
'wifi passwords',
'url': 'https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/'}],
'id': 'attack-pattern--494ab9f0-36e0-4b06-b10d-57285b040a06',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:48:44.123Z',
'name': 'Wi-Fi Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Alex Spivakovsky, Pentera',
'Christopher Peacock',
'Liran Ravich, CardinalOps',
'Uriel Kosayev'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Windows', 'macOS'],
'x_mitre_version': '1.1'}