On a Windows host, someone appears to have run a built-in network shell utility to list saved wireless network profiles and their passwords in clear text. Review the process creation logs to discover the exact command that was executed.

DeviceProcessEvents | where ProcessCommandLine has "netsh wlan"

DeviceProcessEvents | where ActionType == 'ProcessCreated' | where FileName contains 'netsh.exe' | project ProcessCreationTime, InitiatingProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has 'netsh' and ProcessCommandLine has 'wlan' and (ProcessCommandLine has 'show' and ProcessCommandLine has 'profile') | project DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated, InitiatingProcessCreationTime

DeviceProcessEvents | where FileName =~ "netsh.exe" | where ProcessCommandLine has_all ("wlan", "show", "profile") and ProcessCommandLine has "key=clear" | project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine

DeviceProcessEvents | where InitiatingProcessCommandLine contains "Show" and InitiatingProcessCommandLine contains "clear" and InitiatingProcessFileName =~ "cmd.exe" | project TimeGenerated, InitiatingProcessCommandLine, DeviceName | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where ProcessCommandLine has "netsh wlan show profile" and ProcessCommandLine has "key=clear" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "netsh.exe" or ProcessCommandLine has "netsh" | extend cmd = tostring(ProcessCommandLine), lc = tolower(tostring(ProcessCommandLine)) | where lc has "wlan" | where lc has "profile" // matches profile or profiles | where lc has_any ("show", "export") | where lc contains "key=clear" or lc matches regex @"key\s*=\s*clear" | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, FolderPath, ProcessId, ProcessCreationTime, ProcessTokenElevation, ProcessIntegrityLevel, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName | order by TimeGenerated desc

// Detect netsh wlan show profile ... key=clear usage in process creation logs let pattern = @"netsh\s+wlan\s+show\s+profile|key=clear"; // Search DeviceProcessEvents (recommended) and DeviceEvents for redundancy DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d))..now()) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern | extend matched = iff(tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern, 1, 0) | where matched == 1 | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId | union ( DeviceEvents | where TimeGenerated between (startofday(ago(7d))..now()) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where tolower(FileName) contains "netsh" or tolower(ProcessCommandLine) matches regex pattern | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCreationTime=ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId ) | sort by TimeGenerated desc | distinct DeviceName, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain, TimeGenerated | take 100

// Find netsh wlan show profile(s) commands and explicit key=clear usage across DeviceProcessEvents and DeviceEvents let netsh_pattern = @"\bnetsh\s+wlan\s+show\s+(profile|profiles)\b"; let keyclear_pattern = @"key\s*[:=]\s*clear|keyclear|key=clear"; // Primary: DeviceProcessEvents let dpe = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where ProcessCommandLine matches regex netsh_pattern or ProcessCommandLine matches regex keyclear_pattern | extend SourceTable = "DeviceProcessEvents", CommandLine = ProcessCommandLine | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, ProcessIntegrityLevel, CommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable; // Fallback: DeviceEvents (check both process and initiating process commandlines) let de = DeviceEvents | where (isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine)) | extend CandidateCommand = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where CandidateCommand matches regex netsh_pattern or CandidateCommand matches regex keyclear_pattern | extend SourceTable = "DeviceEvents", CommandLine = CandidateCommand | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, ProcessTokenElevation, CommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable; // Union results, extract SSIDs and annotate matches (dpe) | union (de) | extend MatchedNetsh = CommandLine matches regex netsh_pattern, MatchedKeyClear = CommandLine matches regex keyclear_pattern | where MatchedNetsh or MatchedKeyClear | extend SSIDs = extract_all('profile\\s+name\\s*=\\s*\"([^\"]+)\"', CommandLine) | extend SSIDs = iif(array_length(SSIDs) > 0, strcat_array(SSIDs, ", "), "") | project TimeGenerated, Timestamp, DeviceName, DeviceId, AccountName, AccountDomain, LogonId, ProcessId, ProcessCreationTime, FileName, FolderPath, CommandLine, SSIDs, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable | sort by TimeGenerated desc | take 200

let keywords = dynamic(["netsh wlan","netsh wlan show profile","key=clear","show profile","wlan show profile","wlan show profiles","netsh.exe wlan","netsh.exe \"wlan\"","netsh wlan show","netsh.exe /c netsh wlan","/c netsh wlan","powershell.*netsh","cmd.exe.*netsh"]); // Search DeviceProcessEvents (recommended) for process command lines let procEvents = DeviceProcessEvents | where TimeGenerated >= ago(30d) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where FileName has_cs "netsh" or ProcessCommandLine has_cs "netsh" or ProcessCommandLine has_cs "wlan" or ProcessCommandLine has_cs "key=clear" or ProcessCommandLine has_cs "show profile" | where FileName contains_cs "netsh" or ProcessCommandLine matches regex @"(?i)\bnetsh\b.*\bwlan\b|\bwlan\b.*\bshow\b.*\bprofile\b|key=clear" | project TimeGenerated, DeviceName, DeviceId, AccountDomain = AccountDomain, AccountName = AccountName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine, FileName, FolderPath, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, TenantId ; // Also search DeviceEvents (covers process create logs elsewhere) let devEvents = DeviceEvents | where TimeGenerated >= ago(30d) | where ActionType has_cs "ProcessCreated" or ProcessCommandLine has_cs "netsh" or ProcessCommandLine has_cs "wlan" or ProcessCommandLine has_cs "key=clear" or InitiatingProcessCommandLine has_cs "netsh" | where ProcessCommandLine matches regex @"(?i)\bnetsh\b.*\bwlan\b|\bwlan\b.*\bshow\b.*\bprofile\b|key=clear" | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, ProcessId, ProcessCommandLine, FileName, FolderPath, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ReportId, TenantId, ActionType ; procEvents | union devEvents | extend Matched = iff(ProcessCommandLine has_cs "key=clear" or ProcessCommandLine has_cs "show profile" or ProcessCommandLine has_cs "wlan show", true, false) | extend CommandLineLower = tolower(tostring(ProcessCommandLine)) | extend Trigger = case(CommandLineLower contains "key=clear", "key=clear", CommandLineLower contains "show profile", "show profile", CommandLineLower contains "wlan", "wlan", CommandLineLower contains "netsh", "netsh", "other") | where Matched == true | summarize arg_max(ProcessCreationTime, *) by ProcessId | project ProcessCreationTime, TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, FileName, FolderPath, ProcessCommandLine, Trigger, ReportId, TenantId | order by ProcessCreationTime desc | take 100

let StartTime = ago(24h); DeviceProcessEvents | where TimeGenerated between (StartTime .. now()) | extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | where CmdLine has "netsh" and CmdLine has "wlan" | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessSessionId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, CmdLine | sort by TimeGenerated desc

DeviceProcessEvents | where isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) | extend Cmd = iif(isnotempty(InitiatingProcessCommandLine), InitiatingProcessCommandLine, ProcessCommandLine) | extend CmdFile = iif(isnotempty(InitiatingProcessFileName), InitiatingProcessFileName, FileName) | where tolower(Cmd) contains "netsh" | where tolower(Cmd) contains "wlan" and (tolower(Cmd) contains "show profile" or tolower(Cmd) contains "show profiles") | where tolower(Cmd) contains "key=clear" | project TimeGenerated, Cmd, CmdFile, InitiatingProcessCreationTime, InitiatingProcessId, ProcessId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessSessionId, ProcessCreationTime, DeviceName, AccountName | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine matches regex '(?i)netsh.*wlan.*show.*profile.*key.*clear' | project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessId, InitiatingProcessId | order by Timestamp desc

DeviceProcessEvents | where FileName == 'netsh.exe' | where ProcessCommandLine contains 'wlan' and ProcessCommandLine contains 'show profile' and ProcessCommandLine contains 'key=clear' | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc | limit 100

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "netsh.exe" | where ProcessCommandLine has_all ("wlan", "show", "profile", "key=clear") | project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "netsh.exe" or InitiatingProcessFileName =~ "netsh.exe" or ProcessCommandLine has "netsh" or InitiatingProcessCommandLine has "netsh" | where (ProcessCommandLine has_all ("wlan", "show", "profile") or InitiatingProcessCommandLine has_all ("wlan", "show", "profile")) | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

// Detect execution of netsh.exe used to dump Wi-Fi profiles including clear-text keys DeviceProcessEvents | where ActionType == "ProcessCreated" // netsh.exe itself | where FileName =~ "netsh.exe" // Netsh WLAN context | where ProcessCommandLine has "wlan" // Looking for either "show profile" or "export profile" usage | where (ProcessCommandLine has "show" or ProcessCommandLine has "export") | where ProcessCommandLine has "profile" // Passwords are only revealed when the "key=clear" (or "key clear") switch is used | where ProcessCommandLine has "key=clear" or ProcessCommandLine has "key clear" // Optional: surface what flavour of command we observed | extend NetshCommandType = case(ProcessCommandLine has "export", "Export profile", ProcessCommandLine has "show", "Show profile", "Other") | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, ProcessCommandLine, NetshCommandType, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, SHA256, ReportId | order by TimeGenerated desc

DeviceProcessEvents | where FileName has "netsh.exe" | where ProcessCommandLine contains "wlan show profile" and ProcessCommandLine contains "key=clear" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where InitiatingProcessCommandLine has "netsh" and InitiatingProcessCommandLine has "wlan" and InitiatingProcessCommandLine has "key=clear" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessId | order by TimeGenerated desc

DeviceProcessEvents | where FileName == "netsh.exe" | where ProcessCommandLine has "wlan" and ProcessCommandLine has "show" and ProcessCommandLine has "profile" | where ProcessCommandLine has "key=clear" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessId, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where tolower(FileName) == "netsh.exe" | where tolower(ProcessCommandLine) contains "wlan show profile" and tolower(ProcessCommandLine) contains "key=clear" | project ProcessCreationTime, DeviceName, InitiatingProcessAccountName, ProcessCommandLine