Wi-Fi Credentials Harvesting Using Netsh

Rapid7User0000576211 · April 24, 2026, 2:47pm

Hello everyone. We recently had an incident where an employee found and shared an internal wireless PSK with guests and recently created a new custom alert and wanted to share with the community as Rapid7 doesn’t natively alert on this:

Name: Suspicious Command - Wi-Fi Credentials Harvesting Using Netsh
Log Source:
Process Start Events
Query:

where(
    process.name
      IIN [
        "netsh.exe"
      ]
  AND
    process.cmd_line
      ICONTAINS-ANY [
        "wlan show profiles",
        "key=clear"
      ]
)

It's already been insightful for me and hope it can help someone else!

ao_neill · April 30, 2026, 3:47pm

Great stuff, thank you!

Cyb3r · May 1, 2026, 4:24pm

Thanks for sharing, you can also add a third entry under ICONTAINS-ANY for:

"wlan sh pr"

This is the shorthand for show profiles, though it would essentially match on key=clear if entered on the same line regardless.