[T1011.001 ] Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth – Adversaries may use Bluetooth to move stolen data off devices when traditional network channels are blocked or monitored. This technique leverages proximity and often weaker defenses on wireless interfaces to bypass enterprise controls. #Exfiltration #Bluetooth
Keypoints
- Bluetooth can be used as an alternate exfiltration channel when wired or monitored networks are unavailable.
- Adversaries require local proximity and often create or reuse Bluetooth pairings to move data stealthily.
- Endpoints may show unusual processes initiating Bluetooth connections not seen in normal baselines.
- Monitor adapter configuration changes and new virtual interfaces as signs of malicious setup.
- Collect command execution, file access, and network traffic logs to correlate Bluetooth-related data movements.
Description:
- Like slipping a message out in a crowded room by whispering to a nearby accomplice, Bluetooth exfiltration moves data quietly to a nearby device rather than sending it over monitored networks.
- Adversaries use Bluetooth communications to transfer files or data when they have physical proximity and access; this enables bypass of enterprise network controls and matters because Bluetooth links are often less monitored and can carry sensitive data out of secure environments.
Detection:
- Monitor process-to-network mappings and alert on processes that suddenly initiate Bluetooth or peer-to-peer connections not seen in baseline behavior.
- Log and review changes to host network adapters and Bluetooth settings; watch for new virtual adapters or interface replication.
- Capture and analyze Bluetooth network traffic flows and content where possible; use specialized scanners (e.g., Bluetooth sniffers, Ubertooth) for protocol-level inspection.
- Collect Command Execution and File Access logs to correlate commands that trigger data reads with subsequent Bluetooth transfers.
- Deploy endpoint detection rules to flag applications opening files then invoking Bluetooth APIs or services within short time windows.
- Watch for anomalous device pairings, repeated connection attempts, or connections at odd hours; correlate with physical access logs if available.
- Mitigation: enforce Bluetooth policy, disable unused adapters, require authentication for pairing, and apply host-based controls; maintain tight baselines to reduce false positives and tune alerts against legitimate device management tools.
Tactics:
Exfiltration
Platforms:
Linux, Windows, macOS
Data Sources:
Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Relationship Citations:
(Citation: Symantec Beetlejuice),