// question

On a Windows host, someone appears to have run a built-in network shell utility to list saved wireless network profiles and their passwords in clear text. Review the process creation logs to discover the exact command that was executed.

Reference KQL answer and model-by-model comparison.

53cf1903-0fa7-4177-ab14-f358ae809eec
question id
21/23
models correct
1
valid answer
91%
success rate
// reference answer

Human-validated correct answer for this question.

netsh wlan show profile * key=clear
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
"cmd.exe" /c netsh wlan show profile * key=clear
DeviceProcessEvents | where ProcessCommandLine has "netsh wlan"
pass213.01s0.0040
gpt-35-turbo
netsh wlan show profile * key=clear
DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where FileName contains 'netsh.exe'
| project ProcessCreationTime, InitiatingProcessCommandLine
pass14.09s0.0026
gpt-4-turbo-2024-04-09
netsh wlan show profile * key=clear
DeviceProcessEvents
| where ProcessCommandLine has 'netsh' and ProcessCommandLine has 'wlan' and (ProcessCommandLine has 'show' and ProcessCommandLine has 'profile')
| project DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated, InitiatingProcessCreationTime
pass112.54s0.0533
gpt-4.1
netsh wlan show profile * key=clear
DeviceProcessEvents
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has_all ("wlan", "show", "profile") and ProcessCommandLine has "key=clear"
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine
pass14.63s0.0113
gpt-4.1-finetuned
netsh wlan show profile * key=clear
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "Show" and InitiatingProcessCommandLine contains "clear" and InitiatingProcessFileName =~ "cmd.exe"
| project TimeGenerated, InitiatingProcessCommandLine, DeviceName
| sort by TimeGenerated desc
| take 100
pass315.89s0.0226
gpt-4.1-mini
netsh wlan show profile * key=clear
DeviceProcessEvents
| where ProcessCommandLine has "netsh wlan show profile" and ProcessCommandLine has "key=clear"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
pass13.18s0.0022
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0012
gpt-4o
no answer
no query generatedfail50.00s0.0583
gpt-5-high
netsh wlan show profile * key=clear
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "netsh.exe" or ProcessCommandLine has "netsh"
| extend cmd = tostring(ProcessCommandLine), lc = tolower(tostring(ProcessCommandLine))
| where lc has "wlan"
| where lc has "profile"  // matches profile or profiles
| where lc has_any ("show", "export")
| where lc contains "key=clear" or lc matches regex @"key\s*=\s*clear"
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, FolderPath, ProcessId, ProcessCreationTime, ProcessTokenElevation, ProcessIntegrityLevel, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessParentId,
          InitiatingProcessAccountDomain, InitiatingProcessAccountName
| order by TimeGenerated desc
pass173.64s0.0495
gpt-5-mini-high
netsh wlan show profile * key=clear
// Detect netsh wlan show profile ... key=clear usage in process creation logs
let pattern = @"netsh\s+wlan\s+show\s+profile|key=clear"; 
// Search DeviceProcessEvents (recommended) and DeviceEvents for redundancy
DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d))..now())
| where isnotempty(ProcessCommandLine) or isnotempty(FileName)
| where tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern
| extend matched = iff(tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern, 1, 0)
| where matched == 1
| project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| union (
    DeviceEvents
    | where TimeGenerated between (startofday(ago(7d))..now())
    | where isnotempty(ProcessCommandLine) or isnotempty(FileName)
    | where tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern
    | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCreationTime=ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
)
| sort by TimeGenerated desc
| distinct DeviceName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain, TimeGenerated
| take 100
pass118.88s0.0054
gpt-5-mini-low
netsh wlan show profile * key=clear
// Find netsh wlan show profile(s) commands and explicit key=clear usage across DeviceProcessEvents and DeviceEvents
let netsh_pattern = @"\bnetsh\s+wlan\s+show\s+(profile|profiles)\b";
let keyclear_pattern = @"key\s*[:=]\s*clear|keyclear|key=clear";

// Primary: DeviceProcessEvents
let dpe = DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine matches regex netsh_pattern or ProcessCommandLine matches regex keyclear_pattern
| extend SourceTable = "DeviceProcessEvents", CommandLine = ProcessCommandLine
| project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, ProcessIntegrityLevel, CommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable;

// Fallback: DeviceEvents (check both process and initiating process commandlines)
let de = DeviceEvents
| where (isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine))
| extend CandidateCommand = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| where CandidateCommand matches regex netsh_pattern or CandidateCommand matches regex keyclear_pattern
| extend SourceTable = "DeviceEvents", CommandLine = CandidateCommand
| project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, ProcessTokenElevation, CommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable;

// Union results, extract SSIDs and annotate matches
(dpe)
| union (de)
| extend MatchedNetsh = CommandLine matches regex netsh_pattern,
         MatchedKeyClear = CommandLine matches regex keyclear_pattern
| where MatchedNetsh or MatchedKeyClear
| extend SSIDs = extract_all('profile\\s+name\\s*=\\s*\"([^\"]+)\"', CommandLine)
| extend SSIDs = iif(array_length(SSIDs) > 0, strcat_array(SSIDs, ", "), "")
| project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, CommandLine, SSIDs, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable
| sort by TimeGenerated desc
| take 200
pass344.97s0.0107
gpt-5-mini-medium
netsh wlan show profile * key=clear
let keywords = dynamic(["netsh wlan","netsh wlan show profile","key=clear","show profile","wlan show profile","wlan show profiles","netsh.exe wlan","netsh.exe \"wlan\"","netsh wlan show","netsh.exe /c netsh wlan","/c netsh wlan","powershell.*netsh","cmd.exe.*netsh"]);

// Search DeviceProcessEvents (recommended) for process command lines
let procEvents = DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where isnotempty(ProcessCommandLine) or isnotempty(FileName)
| where FileName has_cs "netsh" or ProcessCommandLine has_cs "netsh" or ProcessCommandLine has_cs "wlan" or ProcessCommandLine has_cs "key=clear" or ProcessCommandLine has_cs "show profile"
| where FileName contains_cs "netsh" or ProcessCommandLine matches regex @"(?i)\bnetsh\b.*\bwlan\b|\bwlan\b.*\bshow\b.*\bprofile\b|key=clear"
| project TimeGenerated, DeviceName, DeviceId, AccountDomain = AccountDomain, AccountName = AccountName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine, FileName, FolderPath, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, TenantId
;

// Also search DeviceEvents (covers process create logs elsewhere)
let devEvents = DeviceEvents
| where TimeGenerated >= ago(30d)
| where ActionType has_cs "ProcessCreated" or ProcessCommandLine has_cs "netsh" or ProcessCommandLine has_cs "wlan" or ProcessCommandLine has_cs "key=clear" or InitiatingProcessCommandLine has_cs "netsh"
| where ProcessCommandLine matches regex @"(?i)\bnetsh\b.*\bwlan\b|\bwlan\b.*\bshow\b.*\bprofile\b|key=clear"
| project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCommandLine, FileName, FolderPath, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, TenantId, ActionType
;

procEvents
| union devEvents
| extend Matched = iff(ProcessCommandLine has_cs "key=clear" or ProcessCommandLine has_cs "show profile" or ProcessCommandLine has_cs "wlan show", true, false)
| extend CommandLineLower = tolower(tostring(ProcessCommandLine))
| extend Trigger = case(CommandLineLower contains "key=clear", "key=clear",
                         CommandLineLower contains "show profile", "show profile",
                         CommandLineLower contains "wlan", "wlan",
                         CommandLineLower contains "netsh", "netsh",
                         "other")
| where Matched == true
| summarize arg_max(ProcessCreationTime, *) by ProcessId
| project ProcessCreationTime, TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, FileName, FolderPath, ProcessCommandLine, Trigger, ReportId, TenantId
| order by ProcessCreationTime desc
| take 100
pass131.92s0.0051
gpt-5-nano-high
"cmd.exe" /c netsh wlan show profile * key=clear
let StartTime = ago(24h);
DeviceProcessEvents
| where TimeGenerated between (StartTime .. now())
| extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| where CmdLine has "netsh" and CmdLine has "wlan"
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessSessionId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, CmdLine
| sort by TimeGenerated desc
pass149.50s0.0029
gpt-5-nano-medium
"cmd.exe" /c netsh wlan show profile * key=clear
DeviceProcessEvents
| where isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine)
| extend Cmd = iif(isnotempty(InitiatingProcessCommandLine), InitiatingProcessCommandLine, ProcessCommandLine)
| extend CmdFile = iif(isnotempty(InitiatingProcessFileName), InitiatingProcessFileName, FileName)
| where tolower(Cmd) contains "netsh"
| where tolower(Cmd) contains "wlan" and (tolower(Cmd) contains "show profile" or tolower(Cmd) contains "show profiles")
| where tolower(Cmd) contains "key=clear"
| project TimeGenerated, Cmd, CmdFile, InitiatingProcessCreationTime, InitiatingProcessId, ProcessId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessSessionId, ProcessCreationTime, DeviceName, AccountName
| order by TimeGenerated desc
pass132.39s0.0027
grok-3-beta
netsh
DeviceProcessEvents
| where ProcessCommandLine matches regex '(?i)netsh.*wlan.*show.*profile.*key.*clear'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessId, InitiatingProcessId
| order by Timestamp desc
pass331.57s0.0551
grok-3-mini-beta
netsh wlan show profile * key=clear
DeviceProcessEvents
| where FileName == 'netsh.exe'
| where ProcessCommandLine contains 'wlan' and ProcessCommandLine contains 'show profile' and ProcessCommandLine contains 'key=clear'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100
pass118.24s0.0016
o1-high
netsh_wlan_show_profile_*_key=clear
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has_all ("wlan", "show", "profile", "key=clear")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine
| order by TimeGenerated desc
pass135.71s0.2467
o1-low
netsh wlan show profile * key=clear
DeviceProcessEvents
| where FileName =~ "netsh.exe" or InitiatingProcessFileName =~ "netsh.exe" or ProcessCommandLine has "netsh" or InitiatingProcessCommandLine has "netsh"
| where (ProcessCommandLine has_all ("wlan", "show", "profile") or InitiatingProcessCommandLine has_all ("wlan", "show", "profile"))
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass141.56s0.2477
o3-high
netsh wlan show profile * key=clear
// Detect execution of netsh.exe used to dump Wi-Fi profiles including clear-text keys
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// netsh.exe itself
| where FileName =~ "netsh.exe"
// Netsh WLAN context
| where ProcessCommandLine has "wlan"
// Looking for either "show profile" or "export profile" usage
| where (ProcessCommandLine has "show" or ProcessCommandLine has "export")
| where ProcessCommandLine has "profile"
// Passwords are only revealed when the "key=clear" (or "key clear") switch is used
| where ProcessCommandLine has "key=clear" or ProcessCommandLine has "key clear"
// Optional: surface what flavour of command we observed
| extend NetshCommandType = case(ProcessCommandLine has "export", "Export profile", ProcessCommandLine has "show", "Show profile", "Other")
| project TimeGenerated,
          DeviceName,
          DeviceId,
          AccountDomain,
          AccountName,
          ProcessCommandLine,
          NetshCommandType,
          InitiatingProcessAccountDomain,
          InitiatingProcessAccountName,
          InitiatingProcessCommandLine,
          FolderPath,
          SHA256,
          ReportId
| order by TimeGenerated desc
pass255.43s0.0325
o3-mini-high
netsh wlan show profile * key=clear
DeviceProcessEvents
| where FileName has "netsh.exe"
| where ProcessCommandLine contains "wlan show profile" and ProcessCommandLine contains "key=clear"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime
pass113.32s0.0095
o3-mini-low
netsh
DeviceProcessEvents
| where InitiatingProcessCommandLine has "netsh" 
  and InitiatingProcessCommandLine has "wlan" 
  and InitiatingProcessCommandLine has "key=clear"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessId
| order by TimeGenerated desc
pass111.79s0.0116
o4-mini-high
netsh wlan show profile * key=clear
DeviceProcessEvents
| where FileName == "netsh.exe"
| where ProcessCommandLine has "wlan" and ProcessCommandLine has "show" and ProcessCommandLine has "profile"
| where ProcessCommandLine has "key=clear"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessId, ProcessCommandLine
| sort by TimeGenerated desc
pass139.72s0.0149
o4-mini-low
netsh wlan show profile * key=clear
DeviceProcessEvents
| where tolower(FileName) == "netsh.exe"
| where tolower(ProcessCommandLine) contains "wlan show profile"
    and tolower(ProcessCommandLine) contains "key=clear"
| project ProcessCreationTime, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
pass130.85s0.0094