- Home
- Play books
- WLAN credential exposure mitigation
WLAN credential exposure mitigation
In this page
Playbook Description
This playbook fetches process flow, checks netsh, and removes malicious DNS cache. It also retrieves and deletes leaked WiFi profiles, checks IPreputation, and blocks malicious IPs. It helps remediate the incident by disabling compromised accounts, terminating processes, and isolating the hosts.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Discovery(TA0007) | System Network Configuration Discovery(T1016) | Wi-Fi Discovery(T1016.002) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Detect(D3-Detect) | Network Traffic Analysis(D3-NTA) | DNS Traffic Analysis(D3-DNSTA) |
Playbook input type
Alert
Prerequisites
- Windows Credentials - Go to Settings -> Devices -> Windows Devices.
- Provide/update the credentials of the respective Windows device with admin privileges.
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs
Dependencies
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_calculateRiskScore
Utility functions:
- utility_convertTimeToUTC
- utility_getRequiredTime
- utility_convertToString
- windows_detectMaliciousProcessChain
- utility_extractMaliciousEntitiesByRiskScore
- utility_extractFieldFromList
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| FetchHostEntries.ps1 | Retrieves DNS client cache entries, filters out private/local addresses, and resolves public DNS entries | - |
| ClearDNSCache.ps1 | Flushes the DNS client cache using ipconfig /flushdns , ensuring the DNS Client service is running first | - |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff , with optional RDP-only filtering by remote IP | UserNames |
| FetchPersistenceEntries.ps1 | Scans for persistence mechanisms including scheduled tasks, registry Run/RunOnce keys, startup folder entries, and services to identify potential malicious persistence | - |
| FetchAndRemoveProcess.ps1 | Scans temporary directories for suspicious script files (.ps1, .bat, .vbs) containing credential-related keywords, kills any processes running those scripts, and deletes the files | AdditionalKeywords |
| GetExternalConnections.ps1 | Lists all established non-loopback TCP connections with their local/remote addresses, ports, PIDs, and unique remote IPsummary. | - |
| BlockIP.ps1 | Creates or updates Windows Firewall rules to block network traffic to/from one or more IPaddresses. Uses consolidated rules (SOAR_AutoBlock_IP_Inbound / SOAR_AutoBlock_IP_Outbound) — new IPs are merged into an existing rule rather than creating a rule per IP. Validates IPformat, checks firewall profile status, and reports per-IPresults. | IpString, Direction |
| FetchWifiProfile.ps1 | Retrieves currently connected Wi-Fi interface names and SSIDs using netsh wlan show interfaces | - |
| DeleteWifiProfile.ps1 | Deletes one or more saved Wi-Fi profiles by SSID using netsh wlan delete profile | WifiSSID |
Connections
VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
Execution workflow
Investigation:
- Fetches the netsh execution flow.
- Checks the malicious execution flow.
- Fetches the malicious DNS cache.
- Checks the IPreputation in batch.
- Calculates the risk score in batch.
- Identifies malicious entities based on their risk scores.
Decision logic:
- Proceeds to remediation based on the following conditions:
- Malicious IPaddresses were identified.
- A malicious execution flow was detected in the process tree.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Clears malicious DNS cache.
- Terminates the user session.
- Fetches and removes scheduled process.
- Fetches and removes malicious process.
- Fetches the external Connection details.
- Checks the external IPreputation in batch.
- Checks the IPrisk score in batch.
- Identifies malicious entities based on their risk scores.
- Checks whether IPis malicious.
- Blocks remote IPs.
- Pass IPhandling.
- Fetches the WiFi names.
- Fetches the WiFi Profile Names.
- Deletes the WiFi names.
- Validates that all remediation actions are completed successfully.
- Builds the mail subject.
- Builds the notification email with the analysis results.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Verify that all leaked WiFi profiles have been deleted from the affected endpoint.
- Rotate WiFi passwords for all exposed wireless networks.
- Review all blocked IPaddresses to ensure no legitimate traffic was affected.
- Investigate whether exfiltrated credentials were used to access wireless networks.
- Audit other endpoints for similar netsh-based credential harvesting attempts.
- Consider enforcing enterprise WiFi authentication (802.1X) to reduce credential exposure risk.
