Try it using Invoke-Atomic

System Network Configuration Discovery: Wi-Fi Discovery

Description from ATT&CK

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns.

Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through 

1

netsh wlan show profiles
to enumerate Wi-Fi names and then 
1

netsh wlan show profile “Wi-Fi name” key=clear
to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to 
1

wlanAPI.dll
Native API functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)

On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/

1

.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with
security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)

Atomic Tests

Atomic Test #1 - Enumerate Stored Wi-Fi Profiles And Passwords via netsh

Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).

Supported Platforms: windows

auto_generated_guid: 53cf1903-0fa7-4177-ab14-f358ae809eec

Inputs:

None

Attack Commands: Run with command_prompt!

1

netsh wlan show profile * key=clear

source