| Aspect | Details |
|---|---|
| Challenge | Traditional detections rely on mutable artifacts (e.g., netsh.exe usage). |
| Goal | Identify immutable artifacts generated during WiFi credential dumps via direct API calls. |
| Key Tools | Windows Event Viewer, Sysmon, Procmon, Custom C code for API-based WiFi credential dump. |
| API Method Observations | - No registry read/write logs. - No file read logs on WiFi profile storage paths. - No process creation logs for netsh. |
| Sysmon Event ID 7 Use | Detects executables loading wlanapi.dll. Requires enabling Event ID 7 by modifying Sysmon configuration. |
| Configuration Change | Modify Sysmon config: Change Event ID 7 from exclude to include for ImageLoad. |
| Detection Rule | Sysmon Event ID 7 where ImageLoaded = wlanapi.dll and Image contains .exe not in baseline. Requires baselining for legitimate activity. |
| Password Dump Detection | Monitor Crypto-DPAPI Event ID 16385 for calls to CryptUnprotect. Correlate with caller process (e.g., PowerShell). |
| Recommended Telemetry | Enable Sysmon Event ID 7 and Crypto-DPAPI Event ID 16385. Adjust configurations to reduce noise. |
| Key Insight | Immutable artifacts, such as DLL loads or API calls (e.g., wlanapi.dll or CryptUnprotect), are essential for detecting advanced attacker methods. |
Read full article: https://detect.fyi/detecting-wifi-dumping-via-direct-winapi-calls-and-introduction-to-immutable-artifacts-8ad0661344c1
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply