This detection rule identifies attempts to perform credential dumping of saved Wi-Fi access keys on Windows systems using the built-in utility, Netsh. By monitoring process events where the Netsh command is utilized with specific arguments, the rule identifies potential malicious activities aimed at uncovering clear text credentials associated with wireless network profiles. Employing a combination of indexing across various data sources such as Winlogbeat, endpoint events, and multiple security platforms allows for comprehensive monitoring and quick response to suspicious credential access activities. The rule includes an investigation guide that outlines steps for analyzing suspicious behavior, encourages examining the process execution chain, and reviewing incident response practices to mitigate risks related to compromised credentials. Enhancements to logging policies are recommended to improve detection and response capabilities.