Esc
Wi-Fi Discovery - T1016.002
(ATT&CK® Technique)
Definition
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1016002["Wi-Fi Discovery"] --> |may-invoke| CreateProcess["Create Process"]; class T1016002 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1016002 href "/offensive-technique/attack/T1016.002/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1016002["Wi-Fi Discovery"] --> |may-execute| ExecutableScript["Executable Script"]; class T1016002 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1016002 href "/offensive-technique/attack/T1016.002/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1016002["Wi-Fi Discovery"] --> |may-invoke| GetSystemNetworkConfigValue["Get System Network Config Value"]; class T1016002 OffensiveTechniqueNode; class GetSystemNetworkConfigValue ArtifactNode; click GetSystemNetworkConfigValue href "/dao/artifact/d3f:GetSystemNetworkConfigValue"; click T1016002 href "/offensive-technique/attack/T1016.002/"; click GetSystemNetworkConfigValue href "/dao/artifact/d3f:GetSystemNetworkConfigValue";FileEncryption["File Encryption"] --> | encrypts | ExecutableScript["Executable Script"]; FileEncryption["File Encryption"] -.-> | may-harden | T1016002["Wi-Fi Discovery"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1016002["Wi-Fi Discovery"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] --> | filters | GetSystemNetworkConfigValue["Get System Network Config Value"]; class SystemCallFiltering DefensiveTechniqueNode; class GetSystemNetworkConfigValue ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableScript["Executable Script"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1016002["Wi-Fi Discovery"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableScript["Executable Script"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1016002["Wi-Fi Discovery"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | filters | CreateProcess["Create Process"]; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableScript["Executable Script"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1016002["Wi-Fi Discovery"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | filters | CreateProcess["Create Process"]; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | may-isolate | T1016002["Wi-Fi Discovery"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; RestoreFile["Restore File"] --> | restores | ExecutableScript["Executable Script"]; RestoreFile["Restore File"] -.-> | may-restore | T1016002["Wi-Fi Discovery"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1016002["Wi-Fi Discovery"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableScript["Executable Script"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1016002["Wi-Fi Discovery"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; DecoyFile["Decoy File"] --> | spoofs | ExecutableScript["Executable Script"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1016002["Wi-Fi Discovery"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableScript["Executable Script"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1016002["Wi-Fi Discovery"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | may-detect | T1016002["Wi-Fi Discovery"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1016002["Wi-Fi Discovery"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | GetSystemNetworkConfigValue["Get System Network Config Value"]; class SystemCallAnalysis DefensiveTechniqueNode; class GetSystemNetworkConfigValue ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1016002["Wi-Fi Discovery"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1016002["Wi-Fi Discovery"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileEviction["File Eviction"] --> | deletes | ExecutableScript["Executable Script"]; FileEviction["File Eviction"] -.-> | may-evict | T1016002["Wi-Fi Discovery"] ; class FileEviction DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEviction href "/technique/d3f:FileEviction";