EXPLORE
Sign In
← Back to Explore
kqlHunting

WiFi Password Dumping Detection

This query detects attempts to dump WiFi passwords in plain text from cmd

Detection Query

//This query detects attempts to dump WiFi passwords in plain text from cmd
//Note: This action does NOT require admin privileges
DeviceProcessEvents
| where FileName == "netsh.exe"
| where ProcessCommandLine contains "key=clear" //plain-text

Data Sources

DeviceProcessEvents

Platforms

windows

Tags

defender
Raw Content
//This query detects attempts to dump WiFi passwords in plain text from cmd
//Note: This action does NOT require admin privileges
DeviceProcessEvents
| where FileName == "netsh.exe"
| where ProcessCommandLine contains "key=clear" //plain-text