Investigating Wireless Hotspotting Activity In Windows

Windows 10 "Anniversary Update" introduced Wi-Fi hotspotting capability to endpoints. This allows user's to turn their computer's into Wi-Fi hotspots. You can accomplish the same by using 3rd party software.

While, some may use this for convenience (i.e. reduce mobile data usage by piggy backing on corporate internet, which may be a breach of IT policy), an insider can utilise this as a way to extend their access to the corporate network. Lot of companies do not disable Wi-Fi hotspot feature by default. There are a few data points which can be useful when investigating incidents related to Wi-Fi.

Data Sources

Microsoft-Windows-WLAN-AutoConfig/Operational
SYSTEM Registry Hive
SRUM

Event IDs of interest for Microsoft-Windows-WLAN-AutoConfig/Operational event log are listed below. This event log is available from Windows 7 onwards. A timeline can be made by ingesting this log. It will provide you with the following:

1. a hotspot is activated or deactivated
2. a wireless client connects or disconnects from the hotspot
3. Wi-Fi access points the host connects to

• 8001 - "WLAN AutoConfig service successfully connected to a wireless network. Connecting to a wireless network followed". You should read this with the event ID 11001 "Wireless network association succeeded". It provides context such as whether the network profile was created manually or automatically.
• 8003 - "WLAN AutoConfig service has successfully disconnected from a wireless network". SSID and Interface GUID are available in event fields.
• 8005 - "WLAN AutoConfig service has begun starting the hosted network". This is an indicator of a Wi-Fi hotspot being initiated. You should read this with event ID 8006 "Finished starting the hosted network".
• 8006 - "WLAN AutoConfig service has finished starting the hosted network". This event provides SSID and Network Interface GUID.
• 20019 - "A client has associated with the hosted network". This indicates that a wireless client initiated a connection to the Wi-Fi hotspot. Event ID 20020 "A client has successfully authenticated with the hosted network"should be read with this to confirm the connection establishment. This event provides the hosted Wi-Fi hotspot SSID, Network Interface GUID, Local and Peer MAC addresses. You can lookup the Wi-Fi card manufacturer associated with a MAC address by using the following website https://macvendors.com
• 8008 - "WLAN AutoConfig has begun to stop the hosted network". This event provides SSID and Network Interface GUID.

Following registry path from the SYSTEM hive can provide context into host's network configuration such as IP addess, Name server , Domain etc. ControlSet00X\Services\Tcpip\Parameters\Interfaces\{GUID}

Note that you must check the timestamps and interpret this correctly. You will see the LastWrite timestamp.

Extracting and parsing the System Resource Usage Monitor (SRUM) can provide great insights on to bytes in/out per process. It also has the network adapter GUID/ Adapter name so you can filter all data for the adapter of interest. Combining this with user activity artefacts such as (but not limited to) UserAssist, MRU etc.. you can generate a super-timeline of user's activities.

Recommendations

1. Disable the ability to perform Mobile Hotspotting via AD GPO. Refer the following article for instructions https://www.theexperienceblog.com/2016/08/04/how-to-disable-the-mobile-hotspot-feature-in-windows-10-1607-using-gpo-or-mdm/
2. Enable watchers or rules in Endpoint Detection & Response tooling to detect hotspot activity.
3. Implement an application control solution