[T1011 ] Exfiltration Over Other Network Medium – Adversaries may move stolen data across alternate network channels (Wi‑Fi, cellular, Bluetooth, modem, RF) separate from the primary command-and-control path to avoid enterprise defenses and monitoring. Detecting these paths requires broad visibility into endpoints, wireless interfaces, and unusual process-network activity. #Exfiltration #NetworkSecurity
Keypoints
- Adversaries use secondary network media (Wi‑Fi, cellular, Bluetooth, RF) to bypass enterprise perimeter controls.
- Monitor for processes initiating network I/O that historically have none or very limited network behavior.
- Track changes to network adapters and interface additions to catch rogue connections or virtual adapters.
- Collect and analyze network flow and connection creation logs across wired and wireless interfaces.
- Correlate file access events with unusual outbound connections to identify potential data staging and exfiltration.
Description:
- Like a thief sneaking out the back door while guards watch the front, attackers use alternate wireless or radio channels to smuggle data past monitored networks.
- The technique uses a different physical or wireless medium than the primary C2 channel (Wi‑Fi, cellular, Bluetooth, modem, RF). It allows adversaries with local access or proximity to move data off an environment that may not be inspected by enterprise defenses, increasing the chance of unnoticed exfiltration.
Detection:
- Monitor process-to-network mappings and alert on processes that never previously made network connections now initiating outbound traffic. Use EDR telemetry and process-network correlation tools.
- Collect and analyze network connection creation logs from hosts, including wireless and virtual adapters. Log adapter attach/detach and IP assignments via OS event logs and endpoint agents.
- Inspect file access patterns (large reads, staged archives) and correlate timestamps with new or unusual outbound connections using SIEM correlation rules.
- Capture network traffic content and flows on wireless interfaces where possible; use host-based packet capture and wireless monitoring sensors for Wi‑Fi and Bluetooth traffic analysis.
- Track and alert on additions/replication of network interfaces, new mobile broadband or virtual adapters, and changes to interface configurations. Use system configuration baselining and integrity monitoring.
- Monitor mobile tethering and USB network interfaces on endpoints. Block or alert on unauthorized cellular modems, personal hotspots, or USB network devices via device control policies.
- Expect false positives from legitimate software updates, backup services, or user-initiated wireless connections. Tune rules, whitelist known update servers, and validate suspicious events with endpoint forensics before blocking.
Tactics:
Exfiltration
Platforms:
Linux, Windows, macOS
Data Sources:
Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Relationship Citations:
,(Citation: Microsoft GPO Bluetooth FEB 2009),(Citation: TechRepublic Wireless GPO FEB 2009)
Read More: https://attack.mitre.org/techniques/T1011