This note documents detection patterns related to Wi-Fi Activity / Wireless Network Forensics within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| WLAN-AutoConfig | 8001 | Connected to wireless network | Critical | Strongest direct Wi-Fi association evidence. |
| WLAN-AutoConfig | 8003 | Disconnected from wireless network | High | Defines session end. |
| WLAN-AutoConfig | 11000 | Wireless service started | Medium | WLAN subsystem initialized. |
| WLAN-AutoConfig | 11001 | Wireless service stopped | Medium | Service interruption or shutdown. |
| WLAN-AutoConfig | 11004 | Wireless connection attempt | Critical | Shows target SSID before success/failure. |
| WLAN-AutoConfig | 11005 | Wireless connection success | Critical | Confirms successful association. |
| WLAN-AutoConfig | 11006 | Wireless connection failure | High | Failed join attempt, wrong key or unavailable AP. |
| WLAN-AutoConfig | 12011 | Security/authentication failure | High | Wrong credentials / auth mismatch. |
| Security | 4624 | Logon after wireless join | Medium | Correlates user activity after association. |
| Sysmon | 3 | Network connection | High | Traffic after wireless association. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| New SSID appears | Unknown profile created | Critical | May indicate travel, rogue AP, hotspot use. |
| Frequent connect/disconnect | Unstable signal / roaming / attack simulation | High | Useful for movement reconstruction. |
| Hidden SSID profile | Non-broadcast wireless target | High | Often enterprise or manually added network. |
| Sudden profile deletion | Missing expected network | High | Potential anti-forensics. |
| Same SSID across locations | Public network reuse | Medium | Needs BSSID correlation. |
| Wireless before suspicious activity | Attack staging | Critical | Often precedes exfil or remote ops. |
| Temporary hotspot usage | Mobile tethering | High | Very common during covert movement. |
Common Tools
| Tool | Usage |
|---|---|
| netsh wlan show profiles | Enumerate saved wireless profiles |
| netsh wlan show interfaces | Current adapter state |
| netsh wlan show profile name="SSID" key=clear | Extract stored credentials |
| Registry Explorer | Wireless profile registry analysis |
| Event Viewer | WLAN-AutoConfig logs |
| Wireshark | Wireless traffic if capture exists |
| KAPE | Wireless artifact collection |
| EvtxECmd | WLAN log parsing |
Relevant Artifacts
-
Event Log:
- Applications and Services Logs → Microsoft → Windows → WLAN-AutoConfig → Operational
-
Registry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\ProfilesHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\ManagedHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\UnmanagedHKLM\SOFTWARE\Microsoft\WcmSvc\Profiles
-
Wireless Profiles:
C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{GUID}\*.xml
-
XML profile files contain:
- SSID
- Authentication type
- Encryption type
- Connection mode
-
Registry Explorer keys:
- NetworkList
- NetworkCards
-
Additional:
- SRUM network usage
- DHCP lease evidence
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID} - ARP cache correlation
Registry Interpretation
| Registry Area | Usage | Forensic Value | Notes |
|---|---|---|---|
| NetworkList\Profiles | Known networks | Critical | SSID, first/last seen timestamps |
| Signatures\Managed | Domain / enterprise wireless | High | Controlled environments |
| Signatures\Unmanaged | Personal / public Wi-Fi | Critical | Travel / hotspot evidence |
| NetworkCards | Adapter identity | Medium | Physical wireless adapter attribution |
MITRE ATT&CK References
- T1016 System Network Configuration Discovery
- T1021 Remote Services
- T1049 System Network Connections Discovery
Decision Tree
-
Was wireless used?
- WLAN events present?
- Profile exists?
-
Which SSID?
- Known corporate?
- Public?
- Hotspot?
-
When first seen?
- Registry timestamp
- Event timestamp
-
Successful connection?
- 11005 / 8001
-
Follow-up activity?
- DHCP
- DNS
- Browser
- Lateral movement
-
Scope:
- Single AP
- Multiple APs
- Movement pattern
Example Detection Templates
KQL
Event
| where EventLog == "Microsoft-Windows-WLAN-AutoConfig/Operational"
| where EventID in (8001,8003,11004,11005,11006)
| project TimeGenerated, Computer, EventID, RenderedDescription
EQL
any where event.code == "8001"
sequence by host.name with maxspan=10m
[ any where event.code == "11004" ]
[ any where event.code == "11005" ]
Sigma
title: Wireless Network Association Detected
id: 7d3f2b22-wifi-association
status: experimental
description: Detects wireless network association events
author: Vergil
date: 2026-03-10
logsource:
product: windows
service: wlan-autoconfig
detection:
selection:
EventID:
- 8001
- 11005
condition: selection
fields:
- EventID
- Computer
falsepositives:
- Normal roaming
level: medium
tags:
- attack.discovery
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| WLAN logging | Keep WLAN Operational enabled | Critical | Primary wireless visibility |
| Profile auditing | Review saved profiles regularly | High | Detect rogue APs |
| Disable auto-connect | Prevent unintended joins | High | Limits rogue SSID abuse |
| WPA3 / enterprise auth | Strong wireless security | Critical | Credential protection |
| Monitor new SSIDs | Alert on unknown profiles | Critical | Strong movement signal |
Investigator Notes
-
NetworkList timestamps often survive longer than logs.
-
XML wireless profiles frequently outlive event retention.
-
Public hotspot evidence often explains lateral movement context.
-
Hidden SSIDs deserve immediate scrutiny.
-
Wireless artifacts become extremely valuable in laptop investigations.